Johannesburg, 28 Jun 2001
Every day in the new e-economy, organisations worldwide risk billions by transmitting valuable information across the Internet, the single largest commercial marketplace on earth. The potential for loss exceeds potential revenues for these organisations, extending to their clients` personal and business data, thus blurring the boundaries between the online and offline commercial worlds.
Organisations continue to struggle as they seek to define and take appropriate steps to safeguard information. Many view technology as a panacea for their security troubles, while others undertake a series of fragmented, unconnected initiatives that not only result in poor Internet security, but also engender false notions of security that may in fact hold doors open for malicious intruders.
"Silver bullet" approaches to security hazards are almost never sufficient. While technology may play a vital role, it doesn`t lie at the centre of an effective security equation. But to be effective, an organisation must create an overarching security strategy that ties together these technologies, which would otherwise remain fragmented and potentially ineffective.
The most common mistake in security management is spending on technology in the absence of a policy context.
A corporation-wide security strategy explains security goals for the entire organisation. It takes care to define the risks faced by this particular firm. The strategy should be approached from a holistic perspective, rather than from the narrow vantage point of particular business units.
Communications breakdowns among corporate divisions can block clear articulation of the strategy. A coordinated security strategy and the associated policies provide the framework for an effective information security program.
Once a sound security strategy has been developed, security policies can be drafted. The policies document organisational security objectives in a number of topical areas (eg, asset protection, threat assessment and monitoring, security awareness, etc) and provide long-lasting, technology-independent guidance for implementing and managing the information security program. Intended for everyone in the organisation, security policies must provide traceable, practical security guidance for all internal and external end users.
The weakest links of ineffective security programs stem from unwritten security policies, standards and procedures, or a general lack of security awareness among administrators and end-users. Poorly written policies can be equally hazardous, resulting in misunderstandings that actually heighten information security risks.
Security policy must be virtually obsolescence-free - as practical in today`s IT environment as it is adaptable to rapidly changing technology. Furthermore, information security concerns must be viewed as a form of business risk that must be analysed, weighed and managed like any other business risk.
The security policy derives clout by virtue of those who refer to it and consistently follow its provisions. Top management needs to clearly articulate the organisation`s commitment to the policy. Good policy requires buy-in from everyone in the organisation and must not be offhandedly relegated to "those geeks in IT".
Organisations need to establish a united front to overcome security challenges. Security policy should function as a unifying framework that helps to unite everyone in the organisation in his or her response to security challenges, both large and small. The security program should be regarded as a long-term process and not a static goal. As time passes, business strategies evolve and new technologies emerge. That`s why effective security programs should be implemented through a continuous regimen of assessing security risks, designing and implementing solutions, and managing the overall process.
Cogent policies are especially critical in a merger/acquisition environment. The combined organisations will need to swiftly develop a single, coherent program. In this setting, the security policies and standards will address such issues as email systems, remote access systems, and networking systems serving the newly merged organisations.
Security Awareness and behaviour modification are essential to the security program. Part of this process involves changing how people work. The workforce may resist changes in work habits demanded by the security policies.
More than ever, in the age of B2B e-commerce, security awareness also extends to customers and business partners. It must reach clients, for example, who inadvertently threaten security by revealing passwords for their Yahoo, AOL or stock-trading accounts.
Business conditions change, corporate leadership changes, the composition of the workforce changes, technology changes, and new partnerships arise as others fall away. Amid all these changes, well-defined and coordinated security policy can be viewed as a compass that helps point the way as new developments unfold.
An effective policy framework, combined with procedural and organisational improvements, will provide an enduring context for effective applications of current and emerging security technologies. The resulting information security program will serve as a business enabler and maximise the return on security investments.
Share