People remain the weakest link in a technology-saturated IT security chain, and large global organisations are unhappy, says Ulrich Weigel, EMEA director, Security Management Practice at NetIQ.
To create an effective IT defence system, large, medium and small businesses must identify the exact security requirements of their industry and market. A bank`s IT security risks will be immeasurably different to those of a manufacturer. However, IT budgets are generally tight, and IT departments must justify expense to a greater degree, no matter where executives are on the globe or what business they serve.
But reputation vulnerability has become a primary concern for some modern organisations. Executives at those that will suffer the most get the big budgets while the rest are tasked with what is now a clich'e: do more with less.
Don`t be fooled into lethargy by the common clich'e. Doing more with less is a real issue.
This is not specific to South Africa. If we want to examine the differences and commonalities between South Africa and Europe, then it is important to first realise that there is no one Europe, but rather components of a united Europe. Some IT security factors play more heavily in certain areas. For example, Germany is a heavily regulated environment, while England has fewer regulatory drivers. South Africa`s average IT spend for a specific business may be less overall than it is in Germany and France, for example, but banks in all three countries face common issues. And while banks have a great deal to lose in the reputation stakes across the continental divide, manufacturers in all three nations may have relatively little to lose.
From an IT security point of view, South Africa and a united Europe are one and the same, with marginal discrepancies.
That has resulted in an important yet subtle shift in the way the top organisations now approach IT security. No longer does the project approach satisfy executives, managers or even the foot soldiers. No longer do the trenches reverberate to the sound of hurriedly implemented stopgap measures. Today the team presents a united front directed by the business strategy to lay a seamless barrage of tightly integrated security systems in a relentless march against internal and external security threats.
Clearly defined process
Companies have always used processes to support all that they do. Insurance companies are prime examples of process-driven organisations. Customers enter into a clearly defined process before a life insurance policy can be issued. Now that same methodology is being applied to IT security.
And it means that specific security tools now play second fiddle to business strategy.
The business strategy interfaces with best practices. There are several, and they stem from organisations such as (but not limited to) the Centre for Internet Security; BSI British Standards, which is the national standards body of the UK; the German BSI, which offers a free IT security manual; and SANS, the SysAdmin, Audit, Network, Security Institute, which was established in 1989 as a cooperative research and education organisation.
Companies must decide which best practice, benchmark or methodology best suits them. Risk management is the key that unlocks the answer. Companies need to ask themselves: how do I manage the risk and what do I want to achieve?
In addition, it is responsibility that lies at the core of IT security today, regardless of the industry, market, organisation or country. A large organisation may have anywhere between five and 50 IT security employees. In South Africa that same organisation can easily have anywhere between 1 000 and 5 000 total employees. How can even 50 IT security people be personally responsible for a laptop that is not under their constant supervision? If the organisation makes them ultimately responsible for that laptop`s security, then they have been set up to fail. It is imperative that everybody who has access to IT equipment be responsible for security, if only in part.
Businesses must deploy IT security policies to help make all employees responsible IT security personnel. Roles-based security is essential. If they do not, then companies can spend as much money as they like to deploy best-of-breed or state-of-the-art and even shift a paradigm or two but it will be money wasted.
Surround that with an ongoing education programme and the organisation will quickly stop most security threats. IT security awareness is possibly one of the most difficult goals an organisation faces. Kevin Mitnick put it best when he said that you cannot download a patch for stupidity. But people remain the organisation`s frontline defence. And it is here that they must focus their efforts.
Share
10Net is a value-added distributor focusing on solutions in the areas of Web and e-mail content filtering, performance and availability management, security management, configuration and vulnerability management, operational change control, active directory management, patch management, SQL management and encryption. Most of these solutions integrate through an open, service-oriented architecture that enables common reporting, analytics and dashboarding. Organisations can thus reduce system and security risks by analysing, securing and optimising their IT infrastructure. The combined product range from vendors such as Marshal, NetIQ, Idera, Shavlik and Voltage enables 10Net to provide integrated systems and security management solutions.
Editorial contacts