Feeds

Do we get the IT security we deserve?

Balancing technology with governance

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

In recent weeks we have run a number of connected "articles" about IT security. In this, the last article in the series, we reflect on security as a whole, and reviewing some of your feedback.

We kicked off with a piece on "why IT security matters" . While we said that it would be a rare IT person who saw security as unimportant, as one reader put it, “I've never worked in any company where security was considered near the top of the list if at all.”

This is a shame, given what we said about the "threats" existing both ‘out there’ and within the corporate boundary. We don’t want to act as scaremongers, but one thing is for sure – attacks are becoming more targeted, and seeing security as someone else’s problem is ever less of a valid option.

Of course there are a range of security products which can help, but despite their continued development we have to recognise that they can’t exist in isolation. “Just like you can't pop a pill that'll make you fit and healthy, you can't plop a ‘security’ product into an environment and solve all your woes,” says Reg reader Pete.

This brings us back to the mantra of security-is-a-business-issue, which we highlight in a podcast on how to deal with the risks, here. Sometimes we feel we’re sounding like a broken record, but it is clearthat many organisations have yet to get the message.

Unfortunately, attitudes like those highlighted above can lead to security being sold more opportunistically, dealing with specific threats and solving short-term problems rather than trying to overcome the long term issues. Is it any wonder we end up with dissenting voices? As Pete continues: “Sadly the security industry is packed full of snake-oil sales people, proffering a quick solution. It's also packed with decision-makers after a quick-fix, due to the short-term planning and results based reward system of most companies.”

And there we really do have the nub of the matter. We get the security industry we deserve – and if decision makers are thinking and acting tactically, should we be surprised that the industry should respond in kind? If we really do want to get the kind of help we believe would work best – "to reduce business risks" through appropriate use of technology – we need to start asking the right questions of our suppliers.

On all sides, the consensus is that seeing IT security as a technical issue is missing the point. “Security starts with people, says reader Jake. Adds another reader, “It’s a business issue we’re dealing with, and it’s business information we’re protecting. When we talk about IT security, we should really make it clear that it’s not so much the IT we're protecting, but rather the information which is contained, processed or transferred across the systems.”

How should this be done? From your comments, the answer would seem to lie in good governance. But what does that mean, precisely? ‘Governance’ is a word that has been banded around with considerable zest in recent years. While there may be no real consensus, at its heart is the convergence of two principles – ‘doing the right thing’, aka making good (and indeed, ethical) decisions, and ‘doing things right’, i.e. running an efficient shop which delivers quality products and services.

“I have come to the conclusion that security is the result of good governance, not an end in itself,” says Steve Kay. “No-one protects a system for its own sake, but for the sake of what it allows access to.” Good call – but with security treated in isolation, it can be too easy for it to become an end rather than the means, with the inevitable consequences. “When businesses can't be bothered to govern, and allow the tools to dictate the end result, they will – quite deservedly – get poor results.”

An inevitable downside of weak governance is the need for stronger compliance – that is, if organisations can’t regulate their own behaviours, then this increases the need on the legislators and regulators to step in, which imposes yet more demands on the thinly-stretched IT department. “Any data protection security legislation is likely to cause additional damage, except to security consultants,” says Britt Johnston. “So one aim of all IT departments should be solutions which are good enough to avoid extra legislation.”

Ultimately, good governance holds the key to breaking what is a vicious circle between risk avoidance, increasing legislation and adoption of inadequate technologies, themselves used in a tactical manner. There are indeed practical steps that can be taken by organisations large and small, depending on what is their starting point – we have covered some of these in this series of articles. However such steps, if taken without the umbrella of a broader strategy, will only postpone issues rather than dealing with them head on.

If there is one thought we would like to leave you with, it is this: you are right. Security is not about the detail of encryption algorithms, or the configuration of a firewall. It absolutely is about business engagement, classification of information assets, implementing appropriate technologies, recognising the people issues and moving forward with a pragmatic, architectural approach based on appropriately set policies. Within this context, security tools can help – but let nobody expect them to achieve their goals in isolation.

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.