Info security: the six things business needs to know
Much is lost in translation when it comes to communicating information security risks and the need for businesses to address these, says Steve Jump, head of corporate information security governance at Telkom.
This, he says, is why business gets turned off talking about information security threats - despite these having become a real concern in the digital era.
"The biggest problem we face in the sector of information security is not keeping the bad guys out - it is convincing your company's management that the money you are going to spend on information security is going to be well spent."
With businesses being focused on profit, they need to be approached about information security in a way that speaks to this. Jump says often words - complexities and jargon - end up being the dividing factor.
"Business wants to know how information security breaches will affect their bottom line, what it means to them, and who will know or care, and it is all in the words we use." Six of these words, often used in a manner that scares business, says Jump, are regulatory, fraud, theft, service availability, business agility and reputation.
Jump suggests taking a pragmatic approach, relaying to companies what they want and need to know about the said risks. He summarises the six facets as follows:
1. A regulatory risk: Non-compliance to legislation, local and international law means running the risk of fines, licence conditions and imposed business constraints - as welll as the prosecution of company and staff under the Companies Act, the Consumer Protection Act, Protection of Personal Information Act, King III Code, Regulation of Interception of Communications and Provision of Communication-Related Information Act, the Promotion of Access to Information Act, etc.
2. Theft: This is theft of information. Simply put, if you do not protect it, it will be stolen. Theft of information or revenue leads to loss of commercial value, loss of sales and profit. It can also be data rights management of protected materials or copyright theft, theft of customer assets and theft of infrastructure.
3. Fraud: This refers to illegal acccess to information, leading to fraud, identity theft, misrepresentation, contract and procurement fraud. It also includes exposure to direct losses due to fraud, or losses due to legal recovery actions by third parties.
4. Service availability: Service denial or interference due to invalid or altered info, poor change management, user error or external action. Actions designed to damage or deny service availability through technical, logical or physical attack.
5. Business agility: Prevention of business growth and reduced opportunity for profit due to reduced agility of systems and an increased need to deliver custom protection of solutions. The inability to measure, manage and respond to actual risks leads to slow testing and over-design, increased cost of solutions and delayed delivery. This is a slightly harder sell, but it must be made known that it is about what the bad guys could do if you let them.
6. Reputation: The loss of business reputation resulting from information loss or service interruption, resulting in loss of credibility with key customers - in turn leading to reduced repeat business, reduced levels of business and defection of customers to competing services. This will have an impact on shareholder value. While it may not necessarily destroy your company, it could destroy your career.
"While you can simplify the process, you cannot avoid hard work - but you can bridge the risk assessment and business understanding of this. It is all about the dialogue."
Bonnie Tubbs reporting from ITWeb Security Summit 2014.