Detecting IT security threats is vital to any organisation as digital technologies become ever more integrated. Employing adequate security controls that are able to detect and respond to security threats should be a top priority.
A recent ITWeb survey, IT Security Survey, done in partnership with RSA, revealed that costs are the biggest hindrance to investment in IT security within South African organisations.
It emerged that 30% of respondents said the difficulty of determining ROI and lack of security management skills also ranked high.
"Organisations need to be mindful that the days of box dropping some sort of security tool into their environment are long gone. A full end-to-end view of any IT security project - whether it be purchasing a new tool or service - needs to be adopted that not only looks at the costs around acquisition of the tool but also implementation to a defined state, training, on-going maintenance renewals, time and resources allocated to the running of the tool and identifying key stakeholders," says Ruben Espinosa, regional marketing manager at RSA, commenting on the survey results.
He advises that by being able to demonstrate delivery of security investments on time and within budget, IT security departments will be able to justify all future IT security spending.
Espinosa continues: "IT security follows the same principle as any form of security in that it is about risk mitigation. To understand and justify the ROI an organisation needs to be able to explain how the security investment is able to reduce the risk to the business. So what is the risk the tool or service is protecting the business against? What would the impact be if the risk materialised, what is the likelihood, how to test effectiveness? This approach needs to reviewed regularly and in particular before renewing any existing solutions or services that require further expense."
Xhead - Majority indicates IT security is crucial
A combined percentage of 68% of respondents indicated that IT security is of high and critical importance to their business.
"For the most part, large financial institutions are typically aware of the criticality of IT security. This might have something to do with inherent nature of their business as they are used to placing their tangible valuable assets in secure areas such as vaults and safety deposit boxes," he explains.
As assets have evolved to digital means so have their requirements to protect. Espinosa believes that in non-financial organisations this is not necessarily the case as the boards of directors are not fully aware of their dependence on IT and it often takes some sort of incident or breach to make them take notice.
It's not at all surprising that only 10% of respondents said that IT security is a low priority within their organisation.
Espinosa comments on this finding: "Certain regulations, for instance King 3, stipulate that it is the responsibility of the board of directors to ensure the business takes adequate measures to secure their business. Failure to do so can result not only in brand reputation damages but fines and possible criminal convictions. It is the duty of any board to review risks to the business and their subsequent impacts and then question what the organisation is doing to mitigate these risks."
Forty three percent of respondents indicated that their organisation plans to embark on an internal security strategy project within the next six to 12 months.
According to Espinosa, IT security strategies need be closely aligned to the objectives of the business and a key starting point is aligning IT security to regular business impact assessments.
"What are the key business processes within the organisation, how are they dependent on IT? What are the regulation or compliance requirements? What are new products and services that the organisation is intending to launch?" asks Espinosa.
He concludes by stating that each business process in an organisation will have an owner and it is ultimately that owner who is accountable for ensuring IT security is adequately engaged at all times.
Share