The challenge of planning for, managing and assuring information security has never been greater. The proliferation of new technologies and IT services required to address and support new business challenges places more focus on the delivery of security that supports business enablement. Ubiquitous high-speed public networks; wireless networks at every location; smartphones with more computing power than a desktop PC of five years ago; staff encouraged to use their own private devices; greater demand for sharing data and collaboration; and cloud applications potentially running in massive overseas data centres all present challenges.
End users do not wish to be over-burdened with security, so the IT function must come up with solutions that are easy to implement and observe without affecting a user’s productivity.
Security technology solutions and tools are only a part of the approach to protecting information assets: they need to be deployed in the right away and in the context of a clearly defined security operating model.
Some key considerations when securing a business are highlighted below.
What is the most valuable asset in the business that needs protection? For most organisations, this will be the information that the business uses to operate, rather than the systems in which the business’s data resides. Ensuring the confidentiality, integrity and availability of that data is should underpin all security activities.
Who is responsible for data security? The primary responsibility should not lie with the IT service function. IT staff will have conflicting demands placed on them by business users – their customers in effect – who find security requirements inconvenient constraining, and IT performance measures do not usually include security activity. Instead, security strategy, policy and review should be independent of the IT function and should be driven by the business itself.
What is the definition of a secured business? A lack of identified security breaches, is in itself, not a measure of strong security: the reporting could be flawed, the process could be missing particular breaches, or the organisation may not be subject to an attack for a period of time. Only an independent audit of the processes and external testing of solutions and procedures (including business continuity plans) can assess whether security standards are truly being maintained.
How regularly is security updated? Many organisations have cycles of security improvement, particularly after experiencing an incident resulting in a loss of service or data. However, security should really be at the heart of all business changes taking place within in an organisation, and as such it should not be a separate activity in the development chain, but an innate part of any business development process. This means that security should be subject to ongoing change management and improvement.
The adoption of a complete business-wide security strategy is the best way to build information security into the heart of operations and truly secure the organisation. Mason Advisory has consultant specialists and associate partnerships that can deliver high-quality, certified and experienced information security support to our clients.