Why is management support essential for information security, and what does Swiss law say about management responsibility?
Without management support, there are no resources, no authority, and no priority for information security. Under Swiss law (OR Art. 754), management cannot fully delegate this responsibility.
Without management support you get:
- No resources (time and money)
- No authority (power to issue and enforce directives)
- No priority (security gets deprioritized)
Management bears the risk and decides on the resources allocated to security.
Legal basis (Swiss Code of Obligations, Art. 754 para. 2): Anyone who delegates a task to another entity is liable for the damage caused, unless they can prove they exercised due care in selection, instruction, and supervision.
Key takeaway: "Die Uberwachung der Informationssicherheit ist Chefsache!" — Information security oversight is a top management responsibility. You can delegate tasks, but you cannot delegate the accountability.