Articles

Security management meets GRC

A security plan should be practiced like a fire drill so that everyone knows what to do in the event of a breach, says RSA's Stephan Le Roux.

A security plan should be practiced like a fire drill so that everyone knows what to do in the event of a breach, says RSA's Stephan Le Roux.

In the past, companies secured their assets by building walls to keep intruders out. Today, criminals have learnt how to scale these walls and infiltrate the organisation from the inside, which means businesses need to rethink their security strategies.

This new threat landscape means the security industry should start thinking differently about how customers can protect themselves against cyber threats.

"Traditional security is no longer effective enough against the latest attacks," said Stephan Le Roux, RSA's district manager for southern Africa, in an interview with ITWeb. "The reality is that hackers are well-funded, and because they have to deal with less red tape, their activities are less complicated.

"The latest types of attacks mean that today's solutions must be more integrated and functional," he said, adding that combining governance, risk and compliance (GRC) and security management enables businesses to prioritise what is important to them. "A more integrated solution allows businesses to better protect themselves and to react faster in the event of an attack," Le Roux said.

This approach increases visibility for customers and allows them to make informed decisions, particularly when thinking about how best to secure and store their sensitive data, he noted. It is important for companies to establish what their "crown jewels" are, said Le Roux.

"Every company needs to understand what product or service they offer the market that differentiates them from their competitors. Then they have to assess what would happen if this asset was compromised," he said, adding that once the company has done this analysis, it needs to put procedures in place to prevent anything from happening to this competitive advantage.

This is all about live planning, according to Le Roux, who pointed out that the company must also ensure this plan is properly implemented and communicated to those involved and that it should be accessible to all should anything go wrong. "This plan should be run like a fire drill to get everyone familiar with the process and to make sure everyone knows what they are supposed to do."

According to Le Roux, this need for solid security plans is part of the reason why customers are looking for more comprehensive GRC solutions, as risks can affect compliance and can result in reputational damage for the organisation.

More and more companies are being breached, he concluded, stressing that companies should stop considering security and GRC solutions as "grudge" purchases. "Going forward, security and GRC discussions should be happening at boardroom level if companies want to protect themselves and safeguard their reputations in the world we live in today."