Making IT security matter
Not just an end in itself
Tech Panel Last year, Freeform Dynamics surveyed the attitudes of tech professionals into IT security.
We found that IT security’s most important raison d'etre was to assure day-to-day operations – that is, keeping the business running (Figure 1).
Many organisations do not practice entirely what they preach, however. While nearly three quarters of IT staff were reputed to take security seriously (of course there couldn’t be any bias from our IT-professional Register audience), only a quarter of respondents reported that the general workforce in their organisations do the same. This is a little alarming, even if you take into account the possibly skewed opinions of our survey respondents.
To ensure that IT security isn’t deprioritised to the point of irrelevance, it’s worth reiterating how it can play its part. The first thing to keep in mind is that IT security is as much about securing business assets and resources using IT, as it is about securing the IT itself. Three broad areas need protection:
- Business processes, activities and people
- Business and technical information
- IT applications and services
In a follow-up article we shall consider the most prevalent threats in these areas. But for now, I want to relate these areas back to the IT security priorities detailed in Figure 1. If the number one reason for security is to keep the business running, it stands to reason that any security measure must be based on a precise grasp of what this means for your own organisation. To put it directly: does IT understand what business sees as the main risks? Are IT security measures being implemented to mitigate these risks?
The questions are easy enough, but the answers are less straightforward. IT security measures are often implemented according to whether they are generally accepted as important, or indeed if they are more straightforward to justify. The downside of this approach is that the wrong risks might be mitigated.
Worse, if IT security measures get in the way of accepted business behaviour - looking up client details when out of the office, say, or browsing the Internet at will - then business people will simply ignore the protections in place.
Keeping the business running may be priority number one, but in essence the other criteria relate to the efficient conduct of business. Of course it is ‘a bad thing’ if, for example, information is leaked to third parties. But the bad-ness of the thing will ultimately be characterised by how much it costs the business to fix any problems.
Waives the rules
Here we can mention compliance, the real importance of which has been highlighted by the Credit Crunch. A compliant business is not necessarily a good business, if the rules to be kept are inadequate - ask Lehman Brothers. However non-compliance can be very expensive, just as it has proved highly lucrative for the US legal and accountancy professions.
Ultimately, IT security is about money, for both public and private organisations. As an end in itself it can be justified to a limited extent only – as anyone knows who has tried to put together a business case for a specific security product.
A more appropriate starting point is to engage with the business to understand what risks it wants to mitigate, and what the risks are currently costing the business as a whole. This may not be straightforward, but we do know that it engenders far better results than IT security acting in isolation from the business.
IT security can also engender business confidence, or indeed a lack of security can undermine confidence. From another research study we conducted last year it was clear that security fears may actually prevent organisations from moving forward, either with new working practices (for example, mobile working) or with new technologies. Confidence is one thing that we could do with hanging on to, especially in these straitened times.
Preaching over. It may be possible to sketch some principles of IT security in 700 words, but we know for a fact how tough these things are to achieve in practice. Do share any thoughts or experiences you might have. ®