Feeds

Do we get the IT security we deserve?

Balancing technology with governance

  • alert
  • submit to reddit

3 Big data security analytics techniques

In recent weeks we have run a number of connected "articles" about IT security. In this, the last article in the series, we reflect on security as a whole, and reviewing some of your feedback.

We kicked off with a piece on "why IT security matters" . While we said that it would be a rare IT person who saw security as unimportant, as one reader put it, “I've never worked in any company where security was considered near the top of the list if at all.”

This is a shame, given what we said about the "threats" existing both ‘out there’ and within the corporate boundary. We don’t want to act as scaremongers, but one thing is for sure – attacks are becoming more targeted, and seeing security as someone else’s problem is ever less of a valid option.

Of course there are a range of security products which can help, but despite their continued development we have to recognise that they can’t exist in isolation. “Just like you can't pop a pill that'll make you fit and healthy, you can't plop a ‘security’ product into an environment and solve all your woes,” says Reg reader Pete.

This brings us back to the mantra of security-is-a-business-issue, which we highlight in a podcast on how to deal with the risks, here. Sometimes we feel we’re sounding like a broken record, but it is clearthat many organisations have yet to get the message.

Unfortunately, attitudes like those highlighted above can lead to security being sold more opportunistically, dealing with specific threats and solving short-term problems rather than trying to overcome the long term issues. Is it any wonder we end up with dissenting voices? As Pete continues: “Sadly the security industry is packed full of snake-oil sales people, proffering a quick solution. It's also packed with decision-makers after a quick-fix, due to the short-term planning and results based reward system of most companies.”

And there we really do have the nub of the matter. We get the security industry we deserve – and if decision makers are thinking and acting tactically, should we be surprised that the industry should respond in kind? If we really do want to get the kind of help we believe would work best – "to reduce business risks" through appropriate use of technology – we need to start asking the right questions of our suppliers.

On all sides, the consensus is that seeing IT security as a technical issue is missing the point. “Security starts with people, says reader Jake. Adds another reader, “It’s a business issue we’re dealing with, and it’s business information we’re protecting. When we talk about IT security, we should really make it clear that it’s not so much the IT we're protecting, but rather the information which is contained, processed or transferred across the systems.”

How should this be done? From your comments, the answer would seem to lie in good governance. But what does that mean, precisely? ‘Governance’ is a word that has been banded around with considerable zest in recent years. While there may be no real consensus, at its heart is the convergence of two principles – ‘doing the right thing’, aka making good (and indeed, ethical) decisions, and ‘doing things right’, i.e. running an efficient shop which delivers quality products and services.

“I have come to the conclusion that security is the result of good governance, not an end in itself,” says Steve Kay. “No-one protects a system for its own sake, but for the sake of what it allows access to.” Good call – but with security treated in isolation, it can be too easy for it to become an end rather than the means, with the inevitable consequences. “When businesses can't be bothered to govern, and allow the tools to dictate the end result, they will – quite deservedly – get poor results.”

An inevitable downside of weak governance is the need for stronger compliance – that is, if organisations can’t regulate their own behaviours, then this increases the need on the legislators and regulators to step in, which imposes yet more demands on the thinly-stretched IT department. “Any data protection security legislation is likely to cause additional damage, except to security consultants,” says Britt Johnston. “So one aim of all IT departments should be solutions which are good enough to avoid extra legislation.”

Ultimately, good governance holds the key to breaking what is a vicious circle between risk avoidance, increasing legislation and adoption of inadequate technologies, themselves used in a tactical manner. There are indeed practical steps that can be taken by organisations large and small, depending on what is their starting point – we have covered some of these in this series of articles. However such steps, if taken without the umbrella of a broader strategy, will only postpone issues rather than dealing with them head on.

If there is one thought we would like to leave you with, it is this: you are right. Security is not about the detail of encryption algorithms, or the configuration of a firewall. It absolutely is about business engagement, classification of information assets, implementing appropriate technologies, recognising the people issues and moving forward with a pragmatic, architectural approach based on appropriately set policies. Within this context, security tools can help – but let nobody expect them to achieve their goals in isolation.

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.