How to close the information security gap at your company

Computerworld - Few organizations today claim to have a completely impregnable information security program. More commonly, companies of all sizes and in all industries face the ongoing challenge of ensuring the availability, integrity and confidentiality of business information.
But with threats to information assets increasing in complexity, frequency and speed, it's a struggle to make information security more than simply a reactive response to a pressing problem.
As a result, a growing number of organizations are taking a more proactive approach to information security by taking a hard look at where they are versus where they need to be in order to ensure business continuity and success. By identifying this information security gap, corporations make a quantum leap toward creating and implementing the formidable architecture necessary to protect their critical assets.
Business requirements
To be effective, an information security program must address people, processes and technology. Consequently, these same elements must also be considered as an organization outlines its information security gap.
To determine this gap, the organization must first identify key business objectives and then outline the information security requirements needed to meet those objectives. These high-level objectives and requirements will serve as boundaries for the corporate information security program. The resulting analysis identifies the company's long-range strategic goals, as well as major initiatives planned over the coming year, expected changes in the business environment, high-priority security issues, and other strategic and tactical issues.
Breaking it down
Using the business requirements analysis as a foundation, the organization then compares its current security architecture with its goals for a future information security program. This may appear to be an exhaustive and time-consuming process. However, by breaking down the evaluation of people, processes and technology into three key areas -- strategy, components and administration -- this process can be greatly facilitated.
With this method, an organization would analyze the strategy, components and administration of the people element of its information security program and then repeat the process to come up with the goals for a future program. To understand their current and future status regarding the process element of their information security program, corporate officials would look at the strategy, components and administration of that element, and so forth.
These evaluations can be made even easier by using a simple scoring method for grading these key areas. For example, a score of zero in an area might indicate a complete lack of implementation, with a 1 signifying partial implementation and 2 representing full implementation.
But for many organizations, this is where the picture