Information security a top priority

Winning business buy-in to budget for information security is still one of the biggest challenges facing IT departments.

This is according to Kris Budnik, Deloitte risk advisory director, speaking during a panel discussion at the Deloitte ISG chapter meeting in Woodmead, last week Friday.

Budnik explained that a bridge needs to be crossed between business and IT, with the information security manager aligning with the CEO. A focus on information protection prevents financial loss and helps to achieve the necessary budgets.

“IT departments using scaremongering tactics for budget motivation doesn't work,” said Budnik. He added that looming regulations are under way this year which will force IT governance and protecting personal information to become high priorities at board level.

Craig Summers, head of Information Risk Services at First Rand Bank, agreed with Budnik, explaining that in tough financial times, it's difficult to justify security spend. He noted that business understands security risks based on what the direct impact will be on business profits and spend.

However, Gerhard Cronje, JSE IT governance head, warns that IT being proactive on security threats may not be ultimate answer. “It is cheaper for a bank to refund its customers after they lose money due to a phishing scam, than it is to implement an expensive mechanism to prevent phishing. Until it hits, the business case doesn't stand because it would cost a lot more in the long run to be proactive.”

Jump pointed out that the 2010 Fifa Soccer World Cup, coupled with increased broadband penetration, will result in a higher number of security attacks and information risks.

“Bandwidth is encouraging more people to get connected and many of them are not aware of the risks. There's now hundreds of thousands of threats knocking on our door and it's something we can't ignore. In terms of corporate information risks, we need to be prepared,” concluded Jump.

According to Deloitte, within the next few months, SA will have legislation requiring all organisations processing personal information to comply with the Protection of Personal Information Act. The Act will apply to all public and private bodies and will curtail spam and regulate the transfer of information to third parties.