At the airport, the supermarket, the bank, the hospital, the post office—you leave behind your personal information almost everywhere you go. The release of personal data gives you exclusive access and establishes your unique identity. As a consumer, you are more than aware of the looming risk that data leaks pose. But what about as an organization? What effect does the careless handle of information pose for your organization? Information security has long been considered the jurisdiction of IT, in large part because computers process and store the sensitive data. This is called technical security and comprises a part of information security. But the misconception that information security solely belongs to the IT department prevents the necessary steps from being taken to minimize the risk involved in another critical aspect of information security—namely, managerial security. Information security can be categorized under the larger whole of risk management. As ENISA, the European Network and Information Security Agency states, risk management in general is a process aimed at an efficient balance between realizing opportunities for gains and minimizing vulnerabilities and losses. This definition is important to grasp: for your company, data is not solely something to be anxious about or to protect, but it is mostly something that you can use to enhance your business. Nevertheless, protecting sensitive data is tremendously important. Of the two types of protection--technical and managerial—the former is concerned with protecting the systems that use and process your data. This security is mainly ensured through firewalls, authentication methods and so forth. The latter, managerial security, is concerned with everything that happens with your data independent of the IT landscape. Managerial security is set in place to protect your organization and its employees from the risks that arise from handling sensitive data. This threat should not be overlooked; in fact, ENISA recommends a 1:3 ratio for information security administrators. For every hour spent on technical security, three hours should be spent performing security reviews, developing policies and procedures for handling information, as well as creating contingency plans for potential data losses. Additionally, just as technical security requires continual updates, so do the policies and procedures involved in managerial security. Information security can never be a one-time project, but is a continuous process due to the ever changing nature of data and data management. In order to weave information security into the fabric of your organization, both technical and managerial security are best approached simultaneously. Interested to learn more about how Mavim can help?