December 2019 - Data Protection & Privacy

Management Responsibility for Information Security

Prof. Thomas Jaeschke from Datatree explains the importance of management awareness in increasing information security and data protection in companies.

Management Responsibility for Information Security

© Natali_Mis |

Watch the 4-minute video here or on YouTube, or read the transcript below.


dotmagazine: What are the most important elements for companies to consider when they develop an Information Security Strategy?

Prof. Thomas Jaeschke: Most important is a holistic view of the institution. So, I have to build a strategy for the whole company, and first thing is to have management attention. I have to build management awareness. I can’t go into a company and tell them how to build their firewalls and their antivirus software. They have to do security planning and security engineering. We have to build with them an information security management system so we have all the processes documented, and work with them on these processes.

dot: Is it necessary to have the management on board for IT security?

Jaeschke: Yes, this is the first thing. We have to talk with the management. If we go to the IT security people or any other people, they say, “Yes, I have to do my work. What is data protection? What is information security to my work? I have to do this, and this, and this. Please go away.” And then we can say, “We talked to your manager, to your CEO, and he said that’s most important for my company – these compliance things – so please help us.”

dot: What are common management mistakes when it comes to IT security, and how can they be avoided?

Jaeschke: The most common mistake is that the manager sees the responsibility for compliance, information security, and data protection in their employees’ and not in their own role. That’s the biggest problem. When they work with external partners and consultants, then they think and hope that they “do” the information security. But the manager needs the resources inside the company in money and people to make the documentation, to help the people with interviews, and so on. And that’s the most common problem in companies.

Furthermore, in times where every company is searching for optimization in digitalization, they don’t think in information security, ICT security, and data protection when they start new projects. They spend a lot of money on this project, but don’t think about the most important things: to have the trust in the products and in the projects. So they spend a lot of money that eventually is lost when they go outside with the products and then all the data is in the Internet and everywhere.

dot: What best practices should companies implement to improve information security?

Jaeschke: There are a lot of points, but the first thing is that we start with management awareness, with the CEO. Then we start to build an information security management system. We have to train all employees. Security is only as good as every employee knows it is. Another big thing is to build a non-blame culture in an institution. So people talk to the information security officer if they have the feeling something went wrong. 


Prof. Dr. Thomas Jäschke is an expert on digitalization, and a habitual entrepreneur as a computer scientist and health informatics specialist. A professor and former dean at the largest private university in Germany, he is responsible for, among other topics, Information Management and Security, Digitalization in the Health Care Sector, and Information Technologies & E-Health. He is also the editor of the book "Datenschutz und Informationssicherheit im Gesundheitswesen, 2. Auflage" and the magazine ExperSite on security and data protection. He has also written many contributions to books, articles, and other publications. He is a sought-after speaker at conferences and information events. He has been active in the health care sector for over 25 years, with roles in care, in hospital IT, and for market-leading software vendors. He has been self-employed since 1992, and has successfully founded IT and consulting companies in the areas of medical informatics, information security, and software development.

Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.