Despite organisations' increased spending on security and the up in media visibility of significant breaches, 80% of all security issues still come from internal rather than external sources.
This is according to Tom Scholtz, a research vice-president at Gartner, who is in SA running workshops in both Johannesburg and Cape Town on 'Developing a Strategy for Business-Aligned Information Security and Risk Management'.
In a bid to minimise this situation, various technologies are being implemented, including the use of data loss prevention software, document management encryption and some form of 'port control.
But the focus is now on changing the behaviour of staff, so that they will become aligned with company's culture, using 'social sciences', like the fields of academic scholarship that explore aspects of human society.
The first step in this process is the creation of awareness within the individuals themselves. Scholtz suggested that relating security issues to the personal 'at home' situation and the information that individuals often want to protect, such as their bank account information, personal documents and passwords, and then applying the same criteria to the business realm, is becoming an effective means in this 'creating awareness' process.
Sometimes even simple actions, such as sending messages to colleagues from 'unlocked' PCs and thus 'shaming' those responsible, often have the desired effect.
However, the real challenge facing organisations from a security perspective, according to Scholtz, is the consolidation of the various disparate activities that are extant within most companies.
He indicated that the current thinking for an information security model is one that includes a core unit, the corporate Information Security (Infosec) team that would be responsible for risk management, policy management, program management, business continuity management, architecture and awareness; and would have a direct reporting line to the corporate risk manager.
In addition, there should also be an IT Infosec team, with a direct line to the CIO, responsible for risk assessment, design and implementation, disaster recovery planning, security monitoring and vulnerability assessment.
Also suggested is a business unit Infosec team, with a direct line to LOB management, responsible for business continuity planning, awareness and local policy management.
These three teams would be then be fundamental in the determination of the security policy within any company's governance and risk management framework.
As part of this scenario, Scholtz highlighted the following risk management pitfalls:
Assuming everyone in the organisation shares the enthusiasm, equating the requirement for formalising risk management with a need for highly algorithmic mathematical/statistical methodologies and tools, and treating risk assessment as an objective science, are high on this list.
Attempting to: roll up multiple independent risks into one overall risk indicator, attempting to use one assessment method or tool for all assessment scenarios, and assuming everyone shares the same risk affinity, is, according to Gartner, a perilous effort.
Companies forgetting that the risk affinity of organisations and individuals change over time, neglecting to treat the asset or process owner as the actual risk manager, treating assessment as a once-off activity for any given resource, and, using inappropriate quantitative assessment methods are susceptible to insider threats.
Finally, Scholtz identified three developments/trends that were manifesting themselves or starting to manifest themselves in the security space.
These are: the use of two-stage authentication, increasing use of analytics on data re-security, in a similar way that the use of conventional analytics has come from the use of business intelligence tools, and, the need for an independent 'authentication' individual or body to handle the issues arising from the move to exploit cloud computing.
Share