Subscribe

Cyber security still seen as an 'IT thing'

Martin Czernowalow
By Martin Czernowalow, Contributor.
Johannesburg, 30 Apr 2015
To get board-level buy-in, infosec risks have to be explained in ways that relate to business objectives, says Steve Jump, head of corporate information security governance at Telkom.
To get board-level buy-in, infosec risks have to be explained in ways that relate to business objectives, says Steve Jump, head of corporate information security governance at Telkom.

Steve Jump, head of corporate information security governance at Telkom, and a speaker at the upcoming ITWeb Security Summit 2015, highlights some of the challenges of communicating security risks to a company's board.

Jump notes one of the biggest hurdles to explaining security risks to board executives lies in the complexity of the approach. His suggestion is: "Explain information security risk in ways that relate to business objectives. Avoid hiding behind IT techno-babble, or losing the message within spreadsheets full of meaningless metrics."

Company executive committees and boards are finally getting on board with cyber security strategies, notes Jump. However, he explains this generally only happens when security specialists have made the effort to understand and communicate the real business value the strategy offers.

Despite this, Jump notes not all companies are seeing IT security strategies as integrated parts of their business strategies.

"Information security strategies certainly have business relevance, and are discussed within business risk sessions. [But] IT security strategies still get mistaken for IT problems, and usually not seen as separate risk issues."

Jump points out there are two types of traditional cyber security threats that local companies are typically exposed to, which have the largest business impact: systems configuration and patch management (leaving the business open to outages and malware disruption); and user access governance and monitoring (leaving the business open to fraud and theft).

The failure to fix the basics and an assumption that security is simply "an IT thing" are the main reasons local companies are lagging behind in the development of effective cyber security policies, says Jump.

ITWeb Security Summit 2015

The 10th annual infosec event from ITWeb is a 'must-attend' experience for every IT and security professional and senior manager with business and information management responsibilities.
Click here to register.

He believes local perception of cyber threats is on par with global levels, but adds continual exposure to major cyber threat reporting causes businesses to ignore the real threats that can put their company out of business.

In his presentation at ITWeb Security Summit 2015, Jump will concentrate on the need to develop cyber threat dashboards for the board.

Share