Subscribe
Sectors
Companies
About

A false sense of information security

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Johannesburg, 18 Nov 2016

ITWeb Security Summit 2017

Registration is already open for the ITWeb Security Summit 2017, with six international plenary speakers, #SS17HACK launch, three training courses to choose from, and much more. Manuel Corregedor will present during the security in finance track on A False Sense of Information Security. For the complete agenda, click here.

]Solutions, tools and processes often give businesses a false sense of security. The organisation goes to the time and expense of deploying a measure or following an oversight procedure, but the benefit to the company's overall security posture might be negligible.

Manuel Corregedor, a cyber security professional at Grindrod Bank, will be presenting on 'A false sense of information security' at the ITWeb Security Summit 2017, from 15 to 19 May, at Vodacom World in Midrand.

He says there are several factors that create a false sense of security. "From purchasing a 'silver bullet' solution sold by a vendor to getting the wrong information at the executive levels, for example everything looking okay in a report, but not being secure operationally."

In addition, he says a number of important information security controls such as penetration testing and information security awareness training are simply getting done as a "check box" exercise, to pass an audit, instead of being meaningful.

Corregedor believes what organisations are doing wrong in terms of security differs between organisations, mainly due to each organisation having different maturities. "However, the biggest challenge I believe organisations have, is finding the right skills and, or experience in information security, and retaining those skills."

See also
Trends shaping the SA security landscape

He says this results in businesses putting individuals with a lack of experience or skills in a position where they make mistakes. "An example could be one of these individuals searching the Internet for 'cyber security', finding an article or standard, and trying to apply it within the organisation without really understanding it."

Understanding infosec

Manuel Corregedor
Manuel Corregedor

Speaking of what organisations should be doing better, Corregedor says there are several things: "Addressing the abovementioned points would be a start, but the most important thing organisations need to do is to understand why information security is important and what it addresses that are relevant to them, the risks that have the biggest business impact."

This requires that training and awareness takes place, so that leadership within the organisation understands the importance of information security, and that although there are several risks, there are a number of opportunities that come from implementing information security, he explains.

"Organisations need to demand higher quality deliverables from security providers. For example, if you paying for a penetration test, then you should get a penetration test and not a high level vulnerability assessment. However, this is also tied into having the right skills and experience within the organisation to correctly interpret and evaluate the reports."

Delegates attending Corregedor's talk can expect to receive practical guidance on how to achieve a good baseline of information security - without breaking the budget. They will also learn about quick wins which can be instantly implemented. "Finally, they will learn how NOT to implement information security," he concludes.

Share