Why information security is not an IT project

“IT takes care of security.”
One of the most common and dangerous misconceptions in companies.

Information security is not an isolated IT project.
It is a company-wide management issue.

So who is actually responsible?
Information security protects the confidentiality, integrity, and availability of information throughout the business, not just in IT.

While IT orchestrates data processing, the responsibility for the data lies with the specialist departments:

• Only they know which information is really worth protecting.
• Only they can judge what is appropriate handling.
• And who should have access, or not.

Consequently, the business is an integral part of any information security strategy.
And that is precisely why information security needs leadership.

An effective security strategy requires:

• Top management responsibility
• Clear roles and responsibilities
• Continuous processes (risk analyses, audits, key performance indicators)

An ISMS in accordance with ISO 27001 combines security objectives with business strategy and makes risks transparent and manageable – an absolute prerequisite for NIS-2 as well. Technology is important here, but it is only one part of the picture.

The uncomfortable truth:
Most security incidents are not caused by technical failures.
They are caused by misconduct, uncertainty, or wrong decisions in everyday life.

That is why:

• Awareness & training
• An open incident culture
• Leadership by example
• Are crucial factors for success.

Those who demand security must lead by example. Otherwise, it remains a paper tiger.

No project. No end date.
Information security is not a project with a go-live date.
It is an ongoing management process. Regular reviews, adjustments, and audits ensure effectiveness —classically in the PDCA cycle (Plan-Do-Check-Act).

And now my question to you:
Who decides how sensitive data is handled in your company — IT or specialist departments?