In a world of electronic threats, securing the enterprise has become an issue that must be addressed with the involvement of executive management and not left to technical personnel only.
While initiatives such as the King II recommendations have done much to bring corporate responsibility to the fore, the issue of security, which can be a bewildering one, may still require deeper involvement from the upper echelons of corporate decision-makers.
"The changes that have had to happen and are going on now within management and security have been painful for many companies, as change can often be. This mainly has had to do with the attitude usually taken with technology and security in general," says Danny Ilic, business development owner, enterprise management and security at Computer Associates Africa (CA).
Ilic explains that management often feels that it is the IT department`s responsibility to choose, install and maintain the correct technologies. "Management has never really been pulled inside the realm of computers and the issues that surround them. This distance and attitude has had a negative effect on many companies when it comes to effective security.
"Traditionally, management has been responsible for making the numbers - whether it be profit margins, sales goals, productivity marks - or for managing people and projects. Discussions of firewalls, hackers, and security breaches have remained the stuff of the `techies` in the data centre. However, this trend is fading and the new trend demands that management be more intimately involved in security and how it affects the company as a whole," says Ilic.
He declares that it is management`s responsibility to actively participate in the role security will play in an organisation. "It is their responsibility to decide what data is valuable and needs to be protected, who is responsible for protecting it and to what extent, what the acceptable actions are for employees, and what the consequences are for non-compliance," he says.
However, Ilic says few corporations see these issues in this light and instead relegate security to the IT staff. "This is generally not because management is wilfully avoiding responsibility, but rather that there is a misunderstanding and less than full comprehension of what computer and information security entails," he says, acknowledging that the field of data security is a complex and specialised issue.
"The reality is that the issue of security has become an ever more complex one as the number and types of threats have increased dramatically as technology has evolved," he says.
Ilic explains that good security does not begin and end with erecting a firewall and installing anti-virus software. "Good security is planned, designed, implemented, maintained, and is a dynamic process that evolves," he says.
He notes that security must be tailored to each business` goals and objectives, and that management should understand security issues and how security affects the company and its customers to allow the proper resources, time and funding to be provided. "Unfortunately, the issue of security often never leaves the IT department, which can be overwhelmed with daily tasks with the possibility that security is not properly maintained and executed," says Ilic.
While he concedes that a detailed understanding of security mechanisms, protocols, configurations and components is not necessary for executive management, he stresses that effective information security starts in the boardroom. "It is too much responsibility to put the full spectrum of the security of an entire company in the IT department.
"It needs to be understood, supported and funded from the top down, with management setting the stage for everyone else to follow. Management should understand the issues and risks at hand and provide the security policy and framework, and delegate who is to fill in the rest," he says.
When a company is hacked and sensitive information such as credit card details are stolen, intellectual property is compromised, or confidential information is exposed, it is management staff that must explain if due diligence was practised in protecting the company and its resources.
"These explanations may need to go to corporate offices, shareholders, judges, and to customers. With this in mind, it there is a compelling argument for management to begin to truly understand how security works within the organisations they lead to ensure that appropriate measures are taken to safeguard enterprise data," concludes Ilic.
Share
Editorial contacts