Feeds

Making IT security matter

Not just an end in itself

  • alert
  • submit to reddit

The essential guide to IT transformation

Tech Panel Last year, Freeform Dynamics surveyed the attitudes of tech professionals into IT security.

We found that IT security’s most important raison d'etre was to assure day-to-day operations – that is, keeping the business running (Figure 1).

Many organisations do not practice entirely what they preach, however. While nearly three quarters of IT staff were reputed to take security seriously (of course there couldn’t be any bias from our IT-professional Register audience), only a quarter of respondents reported that the general workforce in their organisations do the same. This is a little alarming, even if you take into account the possibly skewed opinions of our survey respondents.

To ensure that IT security isn’t deprioritised to the point of irrelevance, it’s worth reiterating how it can play its part. The first thing to keep in mind is that IT security is as much about securing business assets and resources using IT, as it is about securing the IT itself. Three broad areas need protection:

  • Business processes, activities and people
  • Business and technical information
  • IT applications and services

In a follow-up article we shall consider the most prevalent threats in these areas. But for now, I want to relate these areas back to the IT security priorities detailed in Figure 1. If the number one reason for security is to keep the business running, it stands to reason that any security measure must be based on a precise grasp of what this means for your own organisation. To put it directly: does IT understand what business sees as the main risks? Are IT security measures being implemented to mitigate these risks?

The questions are easy enough, but the answers are less straightforward. IT security measures are often implemented according to whether they are generally accepted as important, or indeed if they are more straightforward to justify. The downside of this approach is that the wrong risks might be mitigated.

Worse, if IT security measures get in the way of accepted business behaviour - looking up client details when out of the office, say, or browsing the Internet at will - then business people will simply ignore the protections in place.

Keeping the business running may be priority number one, but in essence the other criteria relate to the efficient conduct of business. Of course it is ‘a bad thing’ if, for example, information is leaked to third parties. But the bad-ness of the thing will ultimately be characterised by how much it costs the business to fix any problems.

Waives the rules

Here we can mention compliance, the real importance of which has been highlighted by the Credit Crunch. A compliant business is not necessarily a good business, if the rules to be kept are inadequate - ask Lehman Brothers. However non-compliance can be very expensive, just as it has proved highly lucrative for the US legal and accountancy professions.

Ultimately, IT security is about money, for both public and private organisations. As an end in itself it can be justified to a limited extent only – as anyone knows who has tried to put together a business case for a specific security product.

A more appropriate starting point is to engage with the business to understand what risks it wants to mitigate, and what the risks are currently costing the business as a whole. This may not be straightforward, but we do know that it engenders far better results than IT security acting in isolation from the business.

IT security can also engender business confidence, or indeed a lack of security can undermine confidence. From another research study we conducted last year it was clear that security fears may actually prevent organisations from moving forward, either with new working practices (for example, mobile working) or with new technologies. Confidence is one thing that we could do with hanging on to, especially in these straitened times.

Preaching over. It may be possible to sketch some principles of IT security in 700 words, but we know for a fact how tough these things are to achieve in practice. Do share any thoughts or experiences you might have. ®

Next gen security for virtualised datacentres

More from The Register

next story
Rupert Murdoch says Google is worse than the NSA
Mr Burns vs. The Chocolate Factory, round three!
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
Think crypto hides you from spooks on Facebook? THINK AGAIN
Traffic fingerprints reveal all, say boffins
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.