There's no doubt that information security is an issue that needs to be taken seriously and that failure to do so may well leave your organisation exposed.
"Information security compromise is a risk to your business," says Luc de Graeve, MD of specialist security firm SensePost, "just like every other risk that your company faces every day; albeit theft, fire, a staff walkout, natural disasters or political turmoil."
Like every other risk, the security threat must and can be managed. "Risk management is a business concept that has been around since the time that two chickens were worth a shiny round stone on the open market. IT security threats must be addressed on a management as well as a technical level. Information Security Management Systems (ISMS) is the driver keeping these processes on track. There's nothing revolutionary to it," says De Graeve.
Jaco van Graan is director of SensePost's Information Security Management Systems division, a team that specialises in helping companies create the organisational structures needed to minimise the information security threat.
"Risk management is a process that begins with assigning value to the asset you are trying to protect," he says. "Once you've done that you can decide how much you're prepared to invest to protect those assets. Only then can you assign budget intelligently and decide on the way forward."
It's almost certain that the finance available will be insufficient to completely guarantee the security of all your IT assets, which means your systems could eventually be compromised in some way. "It's called residual risk," says Van Graan, "and it's OK. The challenge is to keep the residual at a level that's acceptable to your company." That, in turn, is achieved through the effective implementation of structures, policies, procedures and technologies.
'Effective' is the key word here. Once a business has decided what its information assets are worth and how much loss it's prepared to tolerate, the next step is to determine where the threats originate. "It's no use spending money on problems you don't have," explains De Graeve. "You have to determine where your information is at risk before you can effectively spend the appropriate time, money and people on addressing IT security threats."
Specialist groups like SensePost can be of assistance, offering comprehensive IT risk assessments that probe companies' systems, illuminate potential weaknesses and provide managers with the information they need to develop security strategies and make objective decisions. According to De Graeve, most organisations tested are vulnerable to threats they weren't aware of: "Fortunately, the solutions to these problems are often simple and inexpensive. Information is power and a professionally executed risk assessment puts the IT manager back in the driver's seat."
Appropriate risk assessments complemented by continuous automated monitoring of critical elements with services like HackRack (www.hackrack.com) go a long way to minimising risk in a cost-effective manner.
Share