Security should remain a priority

Johannesburg, 17 Apr 2007

With the advances of technology and the media hype surrounding security risks, one would assume that security would always remain at the top of organisations' priority lists.

However, Dwaine van Vuuren, global practice lead for security solutions at Dimension Data, says this is not always the case. "We conduct security assessments with our clients to provide them with a snapshot of their security postures, assessing their overall information security programme and corporate governance. Using our industry experience in security, coupled with the findings of all the assessments that we have completed for clients around the globe thus far, we have been able to identify a number of trends in the marketplace."

Technology is not enough

According to him, organisations' views on security are still primarily focused on hardware and software and they aren't focusing on implementing defence-in-depth strategies. IT departments authorise reactive short-term fixes without looking at the full context of any incidents, or they rely heavily on technology in lieu of programmes that include components of risk management, process, organisation and people.

Organisations are dependent on security perimeter technologies. "From our experience, we find that organisations rely heavily on perimeter firewalls and VPNs, with much less focus on internal security. Perimeter technologies need to be expanded and the focus needs to be on internal security measures, such as internal segmentation, intrusion prevention, vulnerability management and admission control," says Van Vuuren.

Companies are realising that in today's business environment, an internal network is not much safer than an external network, he says. Enterprises are required to provide more users with access to their network and information resources; they have to manage multiple levels of access to their information resources, based on the users' roles and responsibilities. This is the case for customers or business partners requiring access to information, or for mobile users requiring access to applications from outside the enterprise's walls, to name but a few.

More work needed

Organisations in general have yet to accept risk management and corporate governance as core to their overall security programmes and there is still a lot of work to be done in involving top management, comments Van Vuuren.

<B>ITWeb Security Summit 2007</B>

Taking place from 22 - 25 May 2007 at Vodaworld, ITWeb's Security Summit will bring together international and local IT and security professionals, practitioners, industry experts and analysts. Delegates will gain an understanding of the key tools, techniques and strategies needed to safeguard their organisations' most valuable asset - information. International security guru, Bruce Schneier, and creator of the PGP e-mail encryption protocol, Phil Zimmermann, will deliver the opening keynote addresses. Click here for booking information.

He says traditionally, security has been left in the hands of the IT department. As such, top management is not really involved in the overall risk management plan of the organisation as it relates to IT security. "We find a considerable lack of awareness among business managers regarding how security impacts the organisation."

Most business managers also equate compliance with security, to the detriment of the organisation. "Just because you are compliant doesn't mean that you are secure. Many security technologies are implemented to focus on specific compliance issues. But this doesn't mean that you have a robust all-encompassing security programme," says Van Vuuren.

An example is to be found in the Sarbanes-Oxley Act, which dictates that organisations need to control access to their systems and also report on the users who have accessed the different systems. To enable this, security tools are required. According to Van Vuuren, this doesn't necessarily mean that companies are free from hackers, spyware and all the other security issues. It just means they have the ability to check and identify users who accessed specific systems.

Processes are key

Companies in general demonstrate few efforts around security programme assurance, event logging, incident reporting and pro-active response activities. As such, many organisations do not have an information security strategy that details processes to ensure their security.

Some companies also implement the best security technology available on the market, without having the people or the skills to properly manage these tools, and to ensure that proper processes are followed. A practical example is where users make changes on the network. However, without a change management process in place, this may pose a security risk.

Van Vuuren concludes: "While organisations often increase spend on security technologies, the number of incidents continue to rise, confirming our belief that a holistic and pro-active approach to security is the best way forward."