Globally, organisations are in the midst of an evolution in the computing environment - developing or acquiring new applications, integrating legacy systems with distributed and multiplatform processing environments, and employing new technologies to meet business needs.
However, this evolution is also forcing companies to take a step back and look at how they are going to approach security in such a manner that keeps up with this evolution.
The reality is that organisations are struggling to understand what the threats to their business information assets are, and who can help them - choosing the right human and financial resources, therefore, pose a significant challenge.
Therefore, companies need to develop and implement a comprehensive and flexible enterprise-wide information security architecture to protect confidentiality, integrity and availability of information and system resources.
Firstly, the executive team has to identify its position on security, define responsibilities and priorities and understand the danger of potential threats and vulnerabilities.
The next step is then to define a model in which the information assets are secured, basing it on the pre-defined company requirements and position on security.
Although its sound relatively straightforward, constructing and implementing a security programme that meets the needs of the managerial team entails a lot of effort and careful planning across a broad spectrum of organisational entities.
Alignment is one of the key elements when working towards the successful implementation of a security programme. Indeed, many organisations struggle to align security with business objectives - this is due to various factors:
* Justifying security expenditures within traditional ROI models;
* Businesses may not query the value of certain security services; therefore, the allocation of existing security resources is focused elsewhere; and
* The core business units and the IT department may view their objectives as distinct from each other, rather than integrated.
Another problem is the distance between the top level of management and the security team, which is also the distance between the organisation`s business goals and the IT department`s protection of those goals - this is often referred to as the security management gap.
The bottom line is that ignoring the importance of alignment is risky. If the security objectives are not aligned directly to a company`s objectives, the security team will not be able to react fast enough in the event of a threat or attack as they won`t have a full understanding of the risk it poses to core business.
A company`s security programme must also be enterprise-wide. Taking it holistic approach is very important as a company is only as secure as its least secure link.
The concept of enterprise-wide security begins at the core of an organisation and moves outwards in all directions, encompassing not only the organisation, but its second and third generations. Indeed, enterprise-wide security moves from the management team core to include all business units.
A security programme must be continuous. Real-time monitoring and updating of all security policies, procedure, and processes ensure timely response to issues and opportunities.
What it boils down to is that a comprehensive security programme must be continuously updated. Not occasionally. Not periodically. Continuously.
This obviously presents an enormous challenge to organisations whose management teams do not understand the ever-changing nature of today`s technology. As we`re all aware, threats and vulnerabilities can become full-fledged attacks in a shockingly short time period.
Organisations with a keen awareness of security issues adapt their infrastructures accordingly. However, those with world-class security programmes engage in a continuous cycle of assessing, updating and redeploying their security programmes.
Good security does not begin and end with erecting a firewall and installing anti-virus software. Good security is planned, designed, implemented, maintained, and evolves.
In a world of electronic threats, securing the enterprise has become an issue that must be addressed with the involvement of executive management and not left to technical personnel only.
Share