Information security is rarely achievable through the random application of IT security components. It is about understanding the value of an organisation's information assets, determining the risks to the information and the systems that contain it, and designing appropriately scoped solutions to remove or mitigate the risks.
So said Steve Jump, head: Corporate Information Security Governance at Telkom, who will be presenting on the science of information security at the ITWeb Security Summit 2016, at Vodacom World from 17 to 19 May.
He says, as with all such exercises, to measure how well information security is done requires a model with metrics and an understanding of what the business considers to be its main objectives.
"Although this is often seen as an engineering problem, we look at this process as obtaining knowledge about the organisation, its purpose, its staff, its products and its information assets that go beyond the technical. We consider this to be the science of information security."
In terms of what South African businesses are doing wrong when it comes to information security, Jump says the easy route is looking at what everyone else is doing, and buying or renewing the same systems that have always been in place.
It is also easy to continue spending money on the support, maintenance and operation of these systems, because not to do so would make things harder.
"Because of this, if an organisation has not reviewed the function of technical and procedural information security systems against its own current business threats in the last 24 months, it is very likely that it is paying for systems that are not being fully used, and are not protecting the assets that the business expects them to."
According to Jump, any security tool that is tested on a system will discover a 'new threat'. "As a security executive you are responsible for making sure that the cost of detection and removal of that 'new threat' is actually a real reduction in your business' risk profile, and that the investment in its acquisition and use is appropriate to the benefit."
He says merely having the latest and fastest security systems does not automatically mean that the organisation is safe, but if there is an understanding of what is being protected, the right resources can be applied to the right problems. "Not only will that help you manage the cost of your security solutions, it will help you to manage their operation."
Share