Mai Moodley: Owning security beyond the job title
Building better security is about sustainable changing of mind-sets towards information security from concept into practice.
This was a view shared by divisional head (GM) for financial systems and processes, State Information Technology Agency, Mai Moodley. Addressing delegates at the ITWeb Security Summit 2014, Moodley noted that organisations fail to understand environment and organisational challenges that are unique to their business.
"When I worked at the Reserve Bank, for example, other banks would adopt the same security solutions we were implementing, purely because the Reserve Bank was doing it and forgetting that the day-to-day organisational challenges are not the same," explained Moodley. "This is often at odds with the reality of their situation, leading to the wrong resources being utilised, poor change management and poor leadership."
As a result, stated Moodley, organisations find themselves with numerous missing links such as lack of accountability, no follow-through on the security strategies that have been adopted and no metrics to measure whether these strategies are efficient or not.
"Solving the security strategy puzzle requires the speed of delivering actionable real-time threat intelligence, reactive responses and measured practical understanding," he said. "Also, balancing practicality and logic as opposed to relying solely on theory is key to implementing meaningful and monitored measurement."
Moodley further urged organisations to moving beyond merely complying with security policies that are put in place, to changing behaviour.
"Security departments should own security beyond the role or job title," remarked Moodley, adding that security processes should be simplified and people-friendly. "People want the easiest point from A to B. The simpler, the better will always overcome clever and complex. These processes should be engineered with the end-user in mind. If the organisation's security policy is too complicated for employees to understand, it's easy to overlook and continue compromising the network."
Organisations should strive to empower business leadership to understand the value of security, advised Moodley, pointing out further that information security should be linked to corporate goals.
"There should be certainty across the board that information security is based on a risk based approach, which is subject to continual measurement. The challenge of 'selling' security is equivalent to shaping and transforming the enterprise risk agenda," he concluded.