Feeds

Making IT security matter

Not just an end in itself

  • alert
  • submit to reddit

Providing a secure and efficient Helpdesk

Tech Panel Last year, Freeform Dynamics surveyed the attitudes of tech professionals into IT security.

We found that IT security’s most important raison d'etre was to assure day-to-day operations – that is, keeping the business running (Figure 1).

Many organisations do not practice entirely what they preach, however. While nearly three quarters of IT staff were reputed to take security seriously (of course there couldn’t be any bias from our IT-professional Register audience), only a quarter of respondents reported that the general workforce in their organisations do the same. This is a little alarming, even if you take into account the possibly skewed opinions of our survey respondents.

To ensure that IT security isn’t deprioritised to the point of irrelevance, it’s worth reiterating how it can play its part. The first thing to keep in mind is that IT security is as much about securing business assets and resources using IT, as it is about securing the IT itself. Three broad areas need protection:

  • Business processes, activities and people
  • Business and technical information
  • IT applications and services

In a follow-up article we shall consider the most prevalent threats in these areas. But for now, I want to relate these areas back to the IT security priorities detailed in Figure 1. If the number one reason for security is to keep the business running, it stands to reason that any security measure must be based on a precise grasp of what this means for your own organisation. To put it directly: does IT understand what business sees as the main risks? Are IT security measures being implemented to mitigate these risks?

The questions are easy enough, but the answers are less straightforward. IT security measures are often implemented according to whether they are generally accepted as important, or indeed if they are more straightforward to justify. The downside of this approach is that the wrong risks might be mitigated.

Worse, if IT security measures get in the way of accepted business behaviour - looking up client details when out of the office, say, or browsing the Internet at will - then business people will simply ignore the protections in place.

Keeping the business running may be priority number one, but in essence the other criteria relate to the efficient conduct of business. Of course it is ‘a bad thing’ if, for example, information is leaked to third parties. But the bad-ness of the thing will ultimately be characterised by how much it costs the business to fix any problems.

Waives the rules

Here we can mention compliance, the real importance of which has been highlighted by the Credit Crunch. A compliant business is not necessarily a good business, if the rules to be kept are inadequate - ask Lehman Brothers. However non-compliance can be very expensive, just as it has proved highly lucrative for the US legal and accountancy professions.

Ultimately, IT security is about money, for both public and private organisations. As an end in itself it can be justified to a limited extent only – as anyone knows who has tried to put together a business case for a specific security product.

A more appropriate starting point is to engage with the business to understand what risks it wants to mitigate, and what the risks are currently costing the business as a whole. This may not be straightforward, but we do know that it engenders far better results than IT security acting in isolation from the business.

IT security can also engender business confidence, or indeed a lack of security can undermine confidence. From another research study we conducted last year it was clear that security fears may actually prevent organisations from moving forward, either with new working practices (for example, mobile working) or with new technologies. Confidence is one thing that we could do with hanging on to, especially in these straitened times.

Preaching over. It may be possible to sketch some principles of IT security in 700 words, but we know for a fact how tough these things are to achieve in practice. Do share any thoughts or experiences you might have. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.