Successful implementation of a security programme is more likely if there is some formality to the roles, responsibilities and communication involved in securing a company's information.

The most successful implementations normally involve integrating this formality with current management structures rather than trying to impose something alien that cuts across normal reporting and communication lines.

A fundamental element of this approach is the identification of external resources (people, organisations etc) that have specialist knowledge and skills. Information security is at times a complex discipline that requires specialists. Keeping up to date with trends, concepts, tools, standards and methods can prove invaluable, and specialist services can often do this more effectively than general management. An example of such specialist services is the control and eradication of computer virus infections.