It is difficult but important to convince management about overall information security risk rather than just tech
In the current scenario, any cultural change in an organisation has a strong association with technology. Of late, I find the security heads in an organisation taking up the cudgels to bring the required security change. The IT managers, as we call them, are evangelising it to rope in business groups into this framework. Security is not about putting technology, controls and monitoring its about the culture of the organisation.
The alignment of business head with the security ideas is critical in bringing about the envisaged culture change. This can be achieved by demonstrating the losses that can occur to the business due to the various gaps that can exist in processes and people and can fail technology implementation. Breaking down of process is a good way to demonstrate the damages to the business fraternity, as this will make them understand the interplay of various factors in creating business risks, which thereby pull down the efficiency and RoI of the deployed technology.
Perception from Top
Data security is one of the focus areas of business leaders in the current scenario due to increase in breaches and data theft. Demand for proper data protection from clients and partners and the popularity of various data protection standards have also contributed towards getting data security getting business leaders mindshare.
In most cases, technology breach is a manifestation of the risk that exists in the information ecosystem, comprising people, processes and technology. The dependence on technology solutions to handle security issues is linked to the belief that technology is the normal point of failure, which is not true in most cases. It is difficult to convince the management to look at the overall risk in the information ecosystem, rather than just the technology, due to various factors like certifications: generally complaint audit reports, etc.
It is very difficult to put a figure on security as every industry faces different levels of risk and has to be prepared to face different crises situations and accordingly prepare a budget to ensure best usage of people, processes and technology for security. Many entities plan to raise their investments on security software, amid rising privacy and online security concerns. In view of the recent terror attacks in cities like Delhi and Mumbai, there have been many enquiries from firms in the aviation, transport, oil and gas and power sectors for security equipment. Commercial establishments like malls, multiplexes and retail outlets, too, need more than just surveillance systems. Having said that, as per security analysts, the overall IT spend in the country on security is pegged at US $70 bn in 2011. Barclay Simpson Information Security Report in 2011 expects consistent demand for PCI-DSS specialists.
The report says that the demand for information security products and services will increase due to frequency and intensity of cyber attacks against enterprises, government institutions, and consumers, as well as due to the need of companies to comply with industry and government mandates.
Security that Scores
Confidentiality, integrity and availability top the security agenda among businesses. To maintain all of these, an ISMS framework is essential (ISO 27001 certification).
However, most business leaders dont realise that merely getting an ISO certificate is not enough, as it is not the final destination. Information security is a continuous journey.
Instead of doing classical audits that only tell you the presence of controls, companies must move towards testing the efficiency of the controls. They must check how easy or difficult it is to break the security systems. Organisations must check whether unauthorised personnel, vehicles and material can move in and out of the premises. How good is the incidence detection and response mechanism? Standard audits will never give you these insights.
Monetisation and Consumerisation
In a organisational environment, it is difficult to monetise security tools, though the cost sharing can be worked out. But in a service provider environment, like data centres or managed security service providers, it is possible to monetise the deployment.
Consumerisation of Information Technology (IT) is happening in organisations with end users bringing into work personal devices such as smartphones and tablets and connecting them to the corporate network. Apart from this wave of consumerisation and hybridisation within IT, organisations are also right now facing significant waves of regulatory compliance demands and security concerns. To address auditors needs and make sure proprietary information is not being stolen by insiders or outsiders, IT must have end-to-end visibility and control over users, applications, servers and devices, to ensure that business is protected while being agile enough to respond to quickly changing business conditions.
Trends to Evangelise
Another recent trend observed in businesses is the use of cloud computing and outsourcing. Through cloud computing an organisations data and applications are stored and served from a remote location typically over the internet. It is also known as software as a service (SaaS).
However, attackers have begun to target the server farms of cloud providers too. Also, issues of the privacy and confidentiality of data, sharing data with government and differing laws on the treatment of data, make this a potentially hazardous undertaking for businesses.
With new security players setting up shops, there is an oversupply of security expertise that is a welcome situation for the consumer, as there is a wider choice of. This is driving down the rate for security services, further creating a situation where certain services have become commoditised, with a dip in the quality of service.
Dinesh Pillai is CEO of Mahindra Special Services Group.