Security is a board-level issue: Ratshefola

Most South African companies are not doing enough to improve the security of their information. That's according to Hamilton Ratshefola, CEO of Cornastone Consulting, speaking at the recent Identity Management and Privacy Conference hosted by Global Security Solutions at The Campus in Bryanston.

Ratshefola says it is time for senior management and executives to become proactive about IT and information security issues.

"Information is no longer an IT issue, but one that affects the entire organisation, including partners, suppliers and customers," he says.

Controlling access to company resources is a complex consideration for any big business. To remain competitive, companies must give employees access to business resources. They may also need to extend secure access to these resources to customers, partners and suppliers, against a backdrop of increasing risk of fraud and abuse.

"In the new economy, organisations are boundary-less, and the demand is for the seamless flow of information both into and out of the organisation," says Ratshefola. "This presents new opportunities and risks."

Responsibility ultimately rests with the board of directors but, he says, few have the IT knowledge and skills to make decisions about IT security. "A proactive company will therefore have an IT and security governance committee as a subcommittee of the board; the committee's role is to assist the board to adequately address IT and security issues of the enterprise."

He points out that this committee should assume several responsibilities: understanding and quantifying how critical information security is to the organisation; ensuring the development and implementation of a comprehensive information security plan; reviewing and supporting information security investments to meet organisational security needs; and developing a regular reporting framework with checks and balances to ensure information security is effective and adequate.

Commenting on why information security governance should be top of mind, Ratshefola notes that it protects company information assets against the risk of loss, operational discontinuity, misuse, unauthorised disclosure, inaccessibility and damage, potential civil and legal liabilities due to information inaccuracy and loss, and the absence of due care.

"Technology continues to advance at a rapid pace, but companies are simply not investing enough in their IT systems to enhance security and controls," he adds. "The South African companies that are investing tend to do so only because of regulatory requirements."

Over 70% of Cornastone's local security projects were driven by clients' needs to be compliant with Sarbanes-Oxley, 20% were driven by the need for competitive advantage, and the remaining 10% were risk mitigation programmes.

Ratshefola's concerns are corroborated by Patrick Devine, security and identity management practice leader at Cornastone Consulting, whose presentation looked at the challenges of role-based identity management in large organisations.

"Roles are fundamental to any organisation," says Devine. "Roles tie business and security together; they are the common language understood by both business and security administrators, and they are fundamental to identity management. With regulatory requirements making it obligatory for organisations to remain in control of their resources and to prove that they are in control, it is vital for organisations to have a view of who has access to what resources."