Johannesburg, 12 Nov 2003
"Security is not a technology issue, it is a process issue," says Meta Group security and risk strategies VP Paul Proctor.
Speaking at the Meta Group/ITWeb security conference held in Johannesburg yesterday, Proctor said the companies having the most success in reducing risk were those that had moved away from treating security as a technology issue and were now approaching it from a risk management point of view. Proctor said he saw an increasing number of risk managers being hired.
Touching on the scope of legislative and regulatory changes currently taking place that impacted on the way people approach security issues, Procter said: "Regulatory issues are the single biggest security drivers, it`s not the worms."
He stressed the importance of a proactive and holistic approach to security, and of treating security as a continuous programme rather than a project with a beginning and an end.
"Such an approach to security requires a cultural change in how people think and act. It requires executive will, leadership and drive. It also requires explicit accountabilities, which right now don`t exist in many organisations.
"You will not get 100% security," said Proctor, "but focus on continuous improvement and ensure executive support. The goal and ultimate benefit of a comprehensive information security strategy is executive peace of mind."
Les Stevens, Meta Group SA security and risk strategies practice leader, said there was no clear definition of responsibilities among IT and business teams where security was concerned. This was aggravated by the lack of clarity within some of the current applicable legislation and regulations.
"One of the problems we are facing now is that there is often not much agreement, sometimes even between legal people, as to what some of the new regulations mean."
Mojalefa Moseki, State IT Agency (SITA) CIO, said government would move to open standards systems as they were more secure than off-the-shelf solutions. He said this would improve security as well as reduce the significant costs associated with integrating proprietary systems.
"Information is the only resource that government really owns. Consequently, government treats information security as being very important.
"The move to open source software (OSS) will not be achieved overnight," he said, "but government is testing certain systems and expects to achieve critical mass on OSS within the next 18 to 30 months."
Johan Roets, Standard Bank direct distribution director, told delegates at the conference that the whole online banking industry would have to address the need for a partnership with clients, which would include continual education of users about safe computing practices. He said ultimately the road ahead would mean having to constantly raise the standard of online banking security. "It`s a journey, not a destination."
Share