Published on the 30/09/2015 | Written by Donovan Jackson
Far from a limitation on business, information security should be an enabler…
General perceptions of information security are that it is a bit of a handbrake – but that’s an attitude which should change as it is in fact a business enabler. That’s the position of CIO/CISO management consultant David Kennedy, who is to facilitate a senior management round table at the Tech Leaders Security Summit scheduled for 30 November.
“Security is not about being secure, it is about knowing how insecure you are,” said Kennedy. “There are a multitude of reasons why security isn’t given the attention it deserves, from lack of senior management education on what is important, to third parties failing to provide security services as described in contracts.”
Security transcends the entire organisation from front door reception to technical response and third party interactions. While he made it clear that the ‘FUD’ approach of attempting to galvanise organisations to action isn’t one he endorses, Kennedy said the bottom line is that a poor security posture could have consequences as serious as being eradicated from business altogether. “How many signups do you reckon Ashley Madison is getting nowadays?” he quipped. “Customers are quick to turn from organisations which are frivolous with their information.”
An issue he sees as prominent is the sheer volume of security risks presented to anyone with an internet connection. “If statistical risk analysis isn’t applied, it is hard to see the wood for the trees,” Kennedy said. He advocated the application of something of a Pareto principle, with an assessment of the top three risks providing the initial insight to guide focus.
“Security is inherently process driven. By working to formalise the processes of securing the organisation, a knock on effect takes hold which makes the processes more effective which leads to a natural improvement of the security posture.”
Since ‘watertight’ security is impossible to achieve, he said any given company has to find a balance – and the location of the fulcrum differs depending on the nature of that organisation’s business. “The information security strategy informs that balance. It requires a review of the business strategy, looking at the areas of the business that require increase security focus and those that require little attention.”
Importantly, he said, security professionals must stop scaring organisations with limitations on how to do business. “Remember, risk is good; allowing the company to take risks will enable innovation and increase profit potential. Security is about visibility and clarity of those risks and the necessary controls. We need to be more transparent [as security professionals], after all, understanding your customers’ and competitors’ stance on security can drive increased revenue. Improving visibility, clarity and integrity of security controls and the compliance reporting will create a more informed culture and management team, enabling the company to do more. ”
The Tech Leaders Security Summit takes place in Wellington on 30 November 2015.
