On the integration of IRM into regular business management just the way HR is (was?).
[Some future blog will be about the Three Lines of (NO!) Defense. Now, about a bit more practical stuff.]
It struck me that information security, lately expanded into information risk management as (peer) part of operational risk management, as part of enterprise risk management sometimes fuzzied into ‘COSO ERM’ babble, still has difficulty to be understood to not be a separate function that can function apart from the rest of the business (‘their infosec corner to take care of their things’) but be an integral part of everyday management (and operations) just like e.g., HR.
Yes, HR is also still a separate function – for the parts that can be handled separately from the business as usual in other departments. Payrolls can be processed (almost) without knowledge of any primary business processes, or secondary processes for that matter. Apart of course from entry/leavers, etc., but that’s detail.
But HR is also very much integrated, the way it has always been. Optimising (sic; not maximising) the performance of the resources that are human (are they; are they considered such ..?) has since the inception of the idea of organizations, always been with management. Through target setting, through performance evaluations, through facilitative management. Not through micromanagement as you rightfully point out; that has no place in any organization.
All the core, direct HR tasks that are performed, are performed directly by (‘line’) managers. The less separately recognised as such, the better. Just manage!
How come, then, that IRM doesn’t take the same approach ..? The major part of simple information risk management (as is the major part of all risk management!) can and should be performed by those actually dealing with the information; employees and their management. How is it that managers generally understand that part (*) of their role consists of various HR chores, but information asset protection (and information asset performance optimalization..!) doesn’t, yet?
(*) Depending on how your organization works; when dealing with knowledge workers, the facilitative part of HR may form the core of managerial work altogether.
Yes, well, indeed managers may on the average be insufficiently educated to be able to deal with information risk management within their normal duties. But ‘we’ should solve that. And almost no manager whatsoever was trained to be a manager in the first place! No, certainly also not the business school types. They learn a few bits and pieces of administration, which is something very different. The military (cadres), they learn something (little, simple things, but apparently sufficient to work with many subordinates in life-threatening situations – don’t insult by assuming your organization can even compare to that kind of managerial challenge). But in general: No. That’s why military cadre finds it difficult to settle back into management positions in civilian society: The level of incompetence (they have to work with) is staggering.
And they our common managers may not have been provided with the appropriate methodologies and tools to do that. But ‘we’ should provide those. Work In Progress, but the distance to cover is so enormous.
And here’s a picture for your delight:Madrid, perspectives: where you stand, where you look at.
So, by education and methodology/tool provision, we can indeed bring information risk management back into the main line of management.
But so much work to be done! and rest assured that for decades to come, IRM will have its place as a (staff) department. HR hasn’t gone away quite yet, has it ..?