A company security plan can be a knife in the back for business. Some companies overspend and others spend too little. Speakers for the ITWeb Security Summit share their advice on how to implement a balanced security strategy.
The level of security a company implements depends largely on the organisation's 'appetite for risk', says Charl van der Walt, founder and director of SensePost Information Security. "Many organisations have not objectively determined their risk appetite, so run the risk of either over or under committing security resources in their environment," he says.
However, pinning down risk appetites and following the levels of security required is impossible to do for more than one company at a time, says Simon Perry, VP and security strategist at CA International. But at the same time, Perry says, companies at the same point in the same industry will have similar risk appetites, which will give them a general idea of what risks they will face.
"A company should reasonably aim to achieve a similar level of capability as their peers, which is reflective of the fact that companies within a given industry vertical may expect to suffer similar problems," he says.
Appetite is only one aspect of determining an effective security strategy. Risk is also a case of balancing cost, value to risk and loss, says Maiendra Moodley, technical security advisor at the South African Reserve Bank.
McAfee senior security strategist, Greg Day, says balancing all these aspects requires an organisation to assess and understand its own business environment.
"Businesses today look to balance their investment in security solutions, to where they manage the risk to an acceptable level, but ensure their investments do not outweigh the costs of the threats they are being deployed to mitigate," he says.
According to CMO at Fortinet, Richard Stiennon, the cost involved should not only be to the company. "Security investments should increase the cost for the attacker to the point where the cost exceeds the potential benefit," he says.
Toby Stevens, director of the Enterprise Privacy Group, says risk and security is also about responsibility. "If an organisation's information security manager is taking these risk decisions in isolation, without reference to the board, then something has gone badly wrong," he says. He adds that ultimately, how a security strategy should be implemented should be the responsibility of the directors.
"So, how much security and risk is appropriate for the organisation? Don't ask the information security manager, ask the directors," he says.
Share