ICT security must align to an organisation's strategic business objectives. All security projects must align with corporate strategy in order to be effective; those that don't will not help to drive the business forward.
This was the overwhelming conclusion drawn at the ITWeb Security Forum, held in conjunction with Performanta, at the Hyatt Regency, in Rosebank, yesterday.
The speakers, Performanta CEO Guy Golan, Tsogo Sun revenue director Sandi Macfie; and Vodacom SA CTSO Vernon Fryer, held an interactive discussion, allowing attendees to vote on the biggest security issues they face.
It emerged that information security is vital to operational performance, brand protection and shareholder value. An organisation cannot be effectively managed without security, and as the breadth and complexity of today's technology increases, so does the role of security. “We need to stop thinking of it as information security alone, but as technology security, too,” said Fryer.
Security is also key to maintaining a competitive edge. It is no longer about asset protection alone; it also enables the secure exchange of sensitive data - within an organisation and with its partners and customers.
In a series of questions, the audience was invited to vote on key issues affecting businesses and IT security professionals.
Q: Does your business understand the significance of information security?
Yes, my business understands and acts on it accordingly - 31%
Yes, my business understands but doesn't do anything about it (no appetite) - 28%
No, my business will never get it - 4%
No, my business wants to understand but doesn't seem to get it - 37%.
The speakers agreed that security is essential for compliance. Today's heightened regulatory pressure to maintain better control over information means information security must be incorporated at the infancy of compliance planning and business strategy. “Security should be a business tool.”
Q: Is your company proactive in its security approach?
Yes, it is. Period! - 43%
I am. Not my company - 35%
Dream on, baby! - 22%.
When you have the ability to measure the goodness of your security, then you know you understand the maturity of security within your organisation, says Golan.
However, Golan says there have been scenarios where companies will use his expertise, and then purchase the recommended solutions elsewhere. “I'm no longer willing to give and get nothing in return.”
Trust plays a huge role, says Macfie. “Have people around you that you trust, that have the experience, and respect their judgement. The person who signs the contract isn't necessarily the same person who makes the decision. Find out who the recommender is.”
Fryer shares his strategies with all his partners. “If partners can supply a service that fits into this strategy, they will be part of the strategy going forward. They must understand what you want.”
Macfie agrees: “Please be innovative, understand where an organisation is at. Listen to their procurement strategy, too.”
Q: Who has more buy-in to security projects in your company?
ISO/CISO - 36%
Risk manager - 24%
CIO - 24%
Board/exco - 6%
Others - 9%
None - 1%.
Fryer says, when it comes to protecting information, the Protection of Personal Information (POPI) Bill will be taking centre stage, and means risk managers should really have the buy-in, as they would best understand compliance issues. The aim of POPI is to regulate the privacy of client data.
One of the core principles of POPI requires that all personal information be kept secure, and Fryer says a challenge is getting to the point where people and organisations understand the full implications of the Act. Senior managers are becoming more tech-wise and are understanding the responsibility towards the board, as well as risk and compliance, including King and POPI.
Fryer says: “When it comes to protecting information, we need to bear in mind that strategic databases don't only contain strategic information. For example, the banking sector houses all our information. What would happen if a bank lost the strategic database of all its customers? It would definitely impact the economic flow of SA.”
Q: Are you able to stand up right now and say what your company's vision, priorities, challenges and expansion plans are?
Easily! I'm part of the business - 20%
Sure. We get communication from management - 52%
Heck no. I'm too busy with my work - 24%
Who cares?! - 4%.
Macfie says understanding this vision is the most important information any employee needs. “Make yourself relevant. You don't have to have all the answers, ask questions. Understand what a breach would mean to your organisation, and similar. Management should give staff the opportunity to ask questions.”
Q: Is security driven because of audit/risk?
Always - 44%
This is a minimum requirement - 51%
Never - 5%.
All presenters agreed that this was a great outcome from the audience, and illustrated that risk is a major driver for security.
International organisations don't want to engage with companies that can't demonstrate how they manage risk within their organisations, including their third-party partners.
Macfie says the ability to be ahead of the pack is all about innovation and change, but you cannot have either without risk. “For example, we developed a check-in app. Is there security needed around that? Of course. And security should be in those discussions, but security is not always top of mind.”
Golan agrees, and says, too often, security comes months after business innovation. “Let's try to close that gap; make it a question of days instead of months.”
“Desensitise the word 'risk',” says Macfie. “Companies should hold audits to see how compliant they are, and to identify the gaps. However, the appetite to spend money on the 'gaps' is a challenge.”
Q: Is architecture paralysing delivery?
Always - they drag their feet - 36%
Sometimes - and it makes sense - 36%
Never - they are really part of the process - 25%.
All agreed that architecture plays a huge role. “Architecture is a very tricky job. It's not the quickest who will survive, but those who respond to change. Flexible architecture is what it's about.”
Share