Subscribe

The science of information security

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Johannesburg, 12 Apr 2016

ITWeb Security Summit 2016

Steve Jump from Telkom will be presenting at the 11th ITWeb Security Summit 2016 on 17 and 18 May. He will discuss the science of information technology and how you can prove that your current security system and process is working for you, or not. To view the full agenda click here. To register, click here.

Information security is rarely achievable through the random application of IT security components. It is about understanding the value of an organisation's information assets, determining the risks to the information and the systems that contain it, and designing appropriately scoped solutions to remove or mitigate the risks.

So said Steve Jump, head: Corporate Information Security Governance at Telkom, who will be presenting on the science of information security at the ITWeb Security Summit 2016, at Vodacom World from 17 to 19 May.

He says, as with all such exercises, to measure how well information security is done requires a model with metrics and an understanding of what the business considers to be its main objectives.

"Although this is often seen as an engineering problem, we look at this process as obtaining knowledge about the organisation, its purpose, its staff, its products and its information assets that go beyond the technical. We consider this to be the science of information security."

In terms of what South African businesses are doing wrong when it comes to information security, Jump says the easy route is looking at what everyone else is doing, and buying or renewing the same systems that have always been in place.

It is also easy to continue spending money on the support, maintenance and operation of these systems, because not to do so would make things harder.

"Because of this, if an organisation has not reviewed the function of technical and procedural information security systems against its own current business threats in the last 24 months, it is very likely that it is paying for systems that are not being fully used, and are not protecting the assets that the business expects them to."

Steve Jump, head: Corporate Information Security Governance at Telkom.
Steve Jump, head: Corporate Information Security Governance at Telkom.

According to Jump, any security tool that is tested on a system will discover a 'new threat'. "As a security executive you are responsible for making sure that the cost of detection and removal of that 'new threat' is actually a real reduction in your business' risk profile, and that the investment in its acquisition and use is appropriate to the benefit."

He says merely having the latest and fastest security systems does not automatically mean that the organisation is safe, but if there is an understanding of what is being protected, the right resources can be applied to the right problems. "Not only will that help you manage the cost of your security solutions, it will help you to manage their operation."

Share