The demands on information security are increasing. At the same time, many organisations feel that resources are not sufficient. According to Christopher Läns at Stratsys, the biggest challenge is not resources as such, but how the work is organised. With the right structure, it is possible to get greater impact from the work that is already being done.
New regulatory frameworks, more advanced threats and a growing dependence on external suppliers are increasing the pressure on many organisations. At the same time, there is often a lack of time, expertise and capacity to meet all the new requirements and expectations. There is a recurring sense that resources are not enough.
The demands are increasing not only in scale, but also in complexity. At the same time, governance and ways of working are not evolving at the same pace. It is this imbalance that characterises many organisations today.
According to Christopher Läns, who works with GRC and information security matters at Stratsys, the challenge is not primarily about resources, but about how the work is organised.
“It is very common to describe this as a resource problem. But when you start looking at how the work is actually carried out, it is often about something else. Much of the work may be fragmented, manual, and lacking a well-developed structure or clear ownership,“ says Christopher.
Christopher Läns, GRC Expert at Stratsys
A continuous approach
Developments in information security mean that expectations are rising, which brings the question of organisation into sharper focus. Occasional one-off efforts and the collection of supporting material ahead of annual audits are no longer enough.
At the same time, many organisations are still built around ways of working based on a different logic. The work is carried out in project form, with follow-up taking place at specific points in time and responsibility often being unclear or divided between several functions. In that situation, it is far from certain that the solution is simply to increase resources. Instead, it is increasingly a matter of continuity, where follow-up, control and risk management take place on an ongoing basis as part of day-to-day operations.
According to Christopher, this is a central challenge:
“Requirements change without ways of working keeping pace. This creates a situation in which organisations try to meet new demands with old structures. The result is unnecessary friction and a constant backlog in the work, where the pace exceeds the organisation’s ability to deal with requirements effectively,“ says Christopher.
“Capacity is tied up in administration“
When pressure increases, this often means in practice that the overall administrative burden grows. However, this does not mean that the actual volume of work linked to the risks increases. In many organisations, the bottleneck is that the same information is handled in several stages and across several different systems. Follow-up takes place in parallel, across different functions. For the business, this means repeated requests to provide input.
According to Christopher, this also means that resources are being spent on the wrong things.
“Far too much of the work is not about managing risks, but about administration. Information is collected, compiled and quality-assured, often several times over. Much of the organisation’s capacity is tied up in tasks that could instead be devoted to analysis and decision-making. The result is a sense that there is simply not enough time,“ says Christopher.
The cost of fragmentation
In recent years, more and more organisations have invested in system support for information security, risk and compliance. That is positive in itself, but good tools alone are not enough. When the same data is stored in different places, information is spread across several systems and follow-up takes place in separate flows, it becomes difficult to create a coherent picture of the situation. The work itself also needs to be structured in order to reduce the risk of fragmentation.
“It is not uncommon for the same control to be followed up in several systems, by different functions, at different times. This creates both duplication and uncertainty about what actually applies. Ultimately, all of this affects decision-making,“ says Christopher.
The consequence is that the organisation spends more time on administration than on the substance of the work itself.
Capacity versus organisation
To understand the problem, it is helpful to distinguish between capacity and organisation. Capacity is about the amount of resources available, such as the number of people or the tools in place. Organisation is about how those resources are used and how the work fits together in practice.
Increasing capacity is a reflex that many organisations fall back on. Resources are added, tools are introduced and initiatives are launched. But if the work is fragmented, it makes little difference. The gap in the structure is what causes the problem.
“Organisations try to solve the problem by adding more. But if the structure does not work, complexity simply increases. Every new resource or solution risks creating further needs,“ says Christopher.
When the structure is coherent, however, the work changes fundamentally. The focus shifts from administration and coordination to analysis and decision-making.
Leverage for efficiency
The solution to reducing the administrative burden is to create better conditions for the work. And there are some common features among organisations that have come further in their work.
“These organisations have a clear structure in which risks, controls and responsibilities are connected. This allows them to avoid much of the manual work and develop consistently over time,“ says Christopher.
When everything is connected, the need for coordination and duplicated effort is reduced, while the quality of follow-up improves.
Governance in practice
As demands increase, the administrative burden risks growing at the same pace. Instead of simply adding more resources, organisations need to change how the work is carried out. Information security needs to become part of ongoing governance to a greater extent, rather than something handled separately. The work needs to be continuous, integrated and data-driven. Only then does the impact become clear:
“When the structure is in place, many other things change at the same time. You move from chasing information to actually being able to use it. That creates entirely different conditions for making well-founded decisions,“ says Christopher.
Clear evidence of change
So what actually changes when the structure is in place? A large part of it concerns what the organisation is able to do with its work:
- Overview. A consolidated and reliable picture of the risk situation, without manual compilation.
- Business alignment. An understanding of how risks affect objectives, priorities and investments.
- Accountability. Ensuring that responsibilities and activities are connected across the organisation.
- Follow-up. Enabling ongoing monitoring of actions.
- Decision support. Decisions based on current and comparable information.
Structure is the key
There is no lack of awareness of how important information security is. Ambition is rarely the problem, nor is the willingness to work more systematically. In many cases, both competence and commitment are already there. The challenge is rather to make the work fit together.
“The next step is not about doing more, but about creating better structure in what is already being done. That is the best way to free up time and generate impact in the work,“ says Christopher.
In practice, this is about simplifying the structure. Only when the work fits together can capacity be fully utilised. That is when governance is turned into action.
.jpg?width=600&height=600&name=iStock-1349030917%20(1).jpg)