Subscribe

Security is a strategic issue

By Tracy Burrows, ITWeb contributor.
Johannesburg, 22 Aug 2012

South African enterprises seem to be unaware that their management and CIOs can be held personally liable for information security failures, says Anthony Olivier, MD of Performanta Consulting.

Anti-virus and other tools are not information security - they are just elements of it, says Olivier.

“The reality is that too many South African enterprises - and I include large, reputable enterprises - do not understand the importance of a proper information security strategy.”

Olivier offers information security consulting services, and says he sees the same story time and again.

“I go to organisations as a consultant and ask obvious questions, like what their AV numbers are - how many viruses have they been hit with. Some CIOs don't even know those numbers exist. Or I will ask how many people they have in their information security department. Frequently, the answer is 'none' or 'we have an IT guy doing it on the side'.”

Olivier says security may show up as a top concern for CIOs in major surveys, “but this isn't what we are seeing on the ground.

“Even large enterprises, including those in the financial sector, tend not to see information security as something that gives them a competitive advantage. Therefore, they don't allocate sufficient resources or budget to it.”

Olivier says what commonly happens is that technicians or junior staff are tasked with managing IT security. They tend to see information security as a technical problem and attempt to mitigate risk by using technology alone. They are often faced with major challenges in getting budget for these solutions, he says.

What they - and management - don't realise is that, by law, they can be held personally liable if the information security in place proves inadequate. “The penalties can include massive fines or jail time,” says Olivier. “Just because nobody has fallen foul of these laws yet does not mean it cannot happen. And many CIOs are unaware that they can be held accountable in their personal capacities.

“If a CIO of a major enterprise is not aware of the risks he is personally facing, how will the rest of the industry take it seriously?” he asks.

IT Security Forum

In your information security function, you need to know how to influence decision-makers in the organisation to ensure you get the support from the board in order to implement the required security initiatives. The purpose of this event, scheduled for 28 August, is to create a bit of a 'shake up' in the industry; challenging you to look in the mirror and understand how you can be the change you need to see in your department. For more information, click here.

Olivier says too many companies appear to think that once they have anti-virus, firewall and the like in place, they are secure. Nothing is secure, he notes.

He cites Haroon Meer, of Thinkst, who says he no longer bothers carrying out penetration testing, because he knows he will always find holes.

“If you can penetrate anything, solving the security problem needs a different approach,” says Olivier.

“Information security is a management problem. You have to look at all aspects of the problem; ask 'what level of risk are we willing to accept, what funding and personnel must be put into combating the problem?'

“You need to understand the structure, have the right policies in place, the right reporting lines, and management needs to track it effectively. An effective information security strategy depends on how you bring all those units together coherently.”

Olivier will discuss the tools to make strategic planning work at Performanta's IT Security Forum later this month. For more information on this event, please click here.

Share