Feeds

Making IT security matter

Not just an end in itself

  • alert
  • submit to reddit

High performance access to file storage

Tech Panel Last year, Freeform Dynamics surveyed the attitudes of tech professionals into IT security.

We found that IT security’s most important raison d'etre was to assure day-to-day operations – that is, keeping the business running (Figure 1).

Many organisations do not practice entirely what they preach, however. While nearly three quarters of IT staff were reputed to take security seriously (of course there couldn’t be any bias from our IT-professional Register audience), only a quarter of respondents reported that the general workforce in their organisations do the same. This is a little alarming, even if you take into account the possibly skewed opinions of our survey respondents.

To ensure that IT security isn’t deprioritised to the point of irrelevance, it’s worth reiterating how it can play its part. The first thing to keep in mind is that IT security is as much about securing business assets and resources using IT, as it is about securing the IT itself. Three broad areas need protection:

  • Business processes, activities and people
  • Business and technical information
  • IT applications and services

In a follow-up article we shall consider the most prevalent threats in these areas. But for now, I want to relate these areas back to the IT security priorities detailed in Figure 1. If the number one reason for security is to keep the business running, it stands to reason that any security measure must be based on a precise grasp of what this means for your own organisation. To put it directly: does IT understand what business sees as the main risks? Are IT security measures being implemented to mitigate these risks?

The questions are easy enough, but the answers are less straightforward. IT security measures are often implemented according to whether they are generally accepted as important, or indeed if they are more straightforward to justify. The downside of this approach is that the wrong risks might be mitigated.

Worse, if IT security measures get in the way of accepted business behaviour - looking up client details when out of the office, say, or browsing the Internet at will - then business people will simply ignore the protections in place.

Keeping the business running may be priority number one, but in essence the other criteria relate to the efficient conduct of business. Of course it is ‘a bad thing’ if, for example, information is leaked to third parties. But the bad-ness of the thing will ultimately be characterised by how much it costs the business to fix any problems.

Waives the rules

Here we can mention compliance, the real importance of which has been highlighted by the Credit Crunch. A compliant business is not necessarily a good business, if the rules to be kept are inadequate - ask Lehman Brothers. However non-compliance can be very expensive, just as it has proved highly lucrative for the US legal and accountancy professions.

Ultimately, IT security is about money, for both public and private organisations. As an end in itself it can be justified to a limited extent only – as anyone knows who has tried to put together a business case for a specific security product.

A more appropriate starting point is to engage with the business to understand what risks it wants to mitigate, and what the risks are currently costing the business as a whole. This may not be straightforward, but we do know that it engenders far better results than IT security acting in isolation from the business.

IT security can also engender business confidence, or indeed a lack of security can undermine confidence. From another research study we conducted last year it was clear that security fears may actually prevent organisations from moving forward, either with new working practices (for example, mobile working) or with new technologies. Confidence is one thing that we could do with hanging on to, especially in these straitened times.

Preaching over. It may be possible to sketch some principles of IT security in 700 words, but we know for a fact how tough these things are to achieve in practice. Do share any thoughts or experiences you might have. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.