Feeds

Making IT security matter

Not just an end in itself

  • alert
  • submit to reddit

5 things you didn’t know about cloud backup

Tech Panel Last year, Freeform Dynamics surveyed the attitudes of tech professionals into IT security.

We found that IT security’s most important raison d'etre was to assure day-to-day operations – that is, keeping the business running (Figure 1).

Many organisations do not practice entirely what they preach, however. While nearly three quarters of IT staff were reputed to take security seriously (of course there couldn’t be any bias from our IT-professional Register audience), only a quarter of respondents reported that the general workforce in their organisations do the same. This is a little alarming, even if you take into account the possibly skewed opinions of our survey respondents.

To ensure that IT security isn’t deprioritised to the point of irrelevance, it’s worth reiterating how it can play its part. The first thing to keep in mind is that IT security is as much about securing business assets and resources using IT, as it is about securing the IT itself. Three broad areas need protection:

  • Business processes, activities and people
  • Business and technical information
  • IT applications and services

In a follow-up article we shall consider the most prevalent threats in these areas. But for now, I want to relate these areas back to the IT security priorities detailed in Figure 1. If the number one reason for security is to keep the business running, it stands to reason that any security measure must be based on a precise grasp of what this means for your own organisation. To put it directly: does IT understand what business sees as the main risks? Are IT security measures being implemented to mitigate these risks?

The questions are easy enough, but the answers are less straightforward. IT security measures are often implemented according to whether they are generally accepted as important, or indeed if they are more straightforward to justify. The downside of this approach is that the wrong risks might be mitigated.

Worse, if IT security measures get in the way of accepted business behaviour - looking up client details when out of the office, say, or browsing the Internet at will - then business people will simply ignore the protections in place.

Keeping the business running may be priority number one, but in essence the other criteria relate to the efficient conduct of business. Of course it is ‘a bad thing’ if, for example, information is leaked to third parties. But the bad-ness of the thing will ultimately be characterised by how much it costs the business to fix any problems.

Waives the rules

Here we can mention compliance, the real importance of which has been highlighted by the Credit Crunch. A compliant business is not necessarily a good business, if the rules to be kept are inadequate - ask Lehman Brothers. However non-compliance can be very expensive, just as it has proved highly lucrative for the US legal and accountancy professions.

Ultimately, IT security is about money, for both public and private organisations. As an end in itself it can be justified to a limited extent only – as anyone knows who has tried to put together a business case for a specific security product.

A more appropriate starting point is to engage with the business to understand what risks it wants to mitigate, and what the risks are currently costing the business as a whole. This may not be straightforward, but we do know that it engenders far better results than IT security acting in isolation from the business.

IT security can also engender business confidence, or indeed a lack of security can undermine confidence. From another research study we conducted last year it was clear that security fears may actually prevent organisations from moving forward, either with new working practices (for example, mobile working) or with new technologies. Confidence is one thing that we could do with hanging on to, especially in these straitened times.

Preaching over. It may be possible to sketch some principles of IT security in 700 words, but we know for a fact how tough these things are to achieve in practice. Do share any thoughts or experiences you might have. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.