Published on the 24/08/2016 | Written by Donovan Jackson
Complex and beset by FUD, a strategic approach to information security improves its efficacy and value…
That’s according to Colin James, Vodafone’s head of security. He’s presenting at next month’s Advance Security Summit in Wellington, and said it is necessary to bring security to the core of business strategy.
“The way businesses operate today makes information security a top risk for almost any organisation and the only way to address that is to get buy-in for security strategy at the board level. It has to be woven into everything a business does, as it is applicable for anything, be it regular day-to-day operations, the creation of new products and services, or moving into new markets,” he said.
However, few businesses have elevated security to a board level. Some evidence of this, James agreed, can be seen in somewhat random and unpredictable ways in which compromised organisations respond. “We see a tendency to get caught flat-footed; there is an absence of coordinated response which often has the CEO in front of a media panel trying to field questions to which he doesn’t know the answers. When you see that, you know the organisation has not incorporated security into the heart of the business as a strategic issue.”
However, he did acknowledge that when an attack happens – and given the enormous permutations of compromises which are possible – the situations are always difficult. “As much as you can and should plan for them, it is by nature disruptive,” said James, reiterating that the key to dealing with a breach effectively is having a well-rehearsed and flexible plan.
Putting in place a strategic focus on security, he continued, requires an ability to communicate at board level. Part of the challenge is that security is a complex subject by nature; around it roils a reputation that it is some sort of mystical dark art, while added doses of fearmongering can combine to make it all rather Stygian.
That’s no good, said James. “Security should be an enabler of business, which is quite different from the general perception that it is restrictive. It is about understanding the risks, which are very real, and mitigating them.”
When risks are identified and the necessary measures in place to reasonably protect against them, he pointed out, business can be conducted with confidence.
He added that a strategic approach to security isn’t just something which applies to big companies like Vodafone. “Even small scale business owners should have a plan and should be thinking about security as it relates to their organisation and its ability to keep trading. You want to be aware, minimise the risk and be ready not just with a response, but also a plan for the future.”
The Advance Security Summit takes place at Te Papa, Wellington, on 17 October 2016.