The answer to this question is simple, like all other corporate initiatives, it needs to be set by the management. Who decides the core value of the company, core culture of the company and /or the other strategic decisions? It is ideal to have the same person or the role to announce security has core value in the company.
Information Security and Microsoft
Let us take the case with Microsoft. Bill Gates wrote a letter to the entire organization to address the security concerns. His letter not only discusses about the importance of security as a strategic imitative, but also provides a roadmap to ensure the Microsoft products secure.
Support from executive offices will convey the message of importance for Information Security in the company. It will also convey the message that, Information Security cannot be achieved without the cooperation of everyone in the company.
Microsoft sets the slogan .Secure by Design, Secure by development and Secure by deployment.. There is one more aspect to be understood, Secure by assessing the requirement.
Not every company will have the same view about information security, but all companies will agree on a common point that information security is critical to their success in today.s business. In today.s global village companies should understand the power of information and the ways to protect the information as the core asset of the company.
It is not an easy task to protect the information and being a secure company, it will take resources by means of people, process, technology and money. Engage/develop an information security model which will ensure continual improvement, so that you can keep your protection above the industry standard. It is good to be at par with the industry benchmark, but it is better to be on the upper side of the benchmark line.