Many businesses respond to increased information security threats by shoring up their perimeter defences. Implementing tools that serve a very specific purpose is part of the solution, but smart organisations are waking up to the need to implement a strategy that also includes security assessment.
In fact, says Anthony Southgate, general manager: Security Solutions at Dimension Data, one of the biggest issues surrounding information security investment is the fact that many senior managers simply do not recognise or understand the threat to their business. It is difficult to quantify the actual threat or calculate the ROI of any project.
"Before approving any budget plans, management therefore needs to understand the real impact of a breach on their security systems. It is also critical to be able to discern the fact from the fiction in terms of security mythology," he adds.
According to Southgate, companies need to establish what degree of risk is acceptable. But many lack the skills to accurately gauge the threats to their systems and online assets. Few can state with any confidence that they have invested their security budget optimally against the threat.
"Commonly, companies invest in reactive solutions like firewalls, VPN and detection tools that address specific issues," he says.
A recently commissioned Dimension Data US survey on information security shows that 93% of organisations have already implemented products that address perimeter security (IDL, 2003). According to Southgate, the percentage in SA is very similar.
"However, these companies would benefit economically by enhancing this protection layer with an integrated detection and response strategy," he adds. "And the best way to develop this is by starting with a professional information security assessment as this allows organisations to understand where the real risks to their business lie."
Fifty-five percent of organisations surveyed already use security assessments as part of their ongoing strategy; 60% of the remainder intend to do so in the near future.
However, the costs of a security breach cannot always be easily quantified. Damage to reputation and brand can often be as detrimental as the physical harm done to an organisation`s systems. It is vital that CEOs and senior management understand just what it means for their organisation if breaches occur.
It is therefore important that organisations use regular benchmarks, such as the IDL survey, to help them understand their risk exposure and how this compares to their competitors.
Seeing the economic impact of a real-life attack can be very convincing when considering info-security investments.
Seventy-three percent of the respondents to the IDL survey indicated they had direct experience of a threat or attack. So it is perhaps not surprising that nearly 67% of businesses surveyed indicated plans to invest further in their security provision over the next 12 months.
While many were still focusing on products to provide protection, a significant number of organisations indicated they wanted to move toward investing in security consultation and managed security. Of those organisations that confirmed further investment, 89% intend to allocate budget to security consultation and 62% to a managed security strategy.
"This clearly indicates a move away from creating a defence against every eventuality, toward adopting a more proactive strategy on what to do should an attack occur," says Southgate.
"By focusing less on eliminating all risks, and more on developing a strategy for how to deal with attack, organisations will be able to benefit from a pragmatic approach to security that does not negatively impact their ability to innovate."
Share