'Unsettling time' for information security
Enterprises may have had the business of information security in hand until recently, but a wave of new technology trends is changing all that, say key sponsors participating in the upcoming ITWeb Security Summit.
In a briefing ahead of the annual ITWeb Security Summit to be held in Johannesburg in May, top local information security stakeholders said the cloud, mobility and big data are threatening enterprise information security on numerous fronts. And with enterprise success now resting on its data, the stakes have never been higher.
Graeme McMillan, Cyberoam pre-sales manager, says where, traditionally, data was well-secured within the enterprise, it is now exposed and vulnerable on multiple levels. At potentially greatest risk, he says, are smaller and medium-sized enterprises which may not have the resources to protect themselves against the growing threats. "Many SMEs are also rapidly adopting cloud technologies without being aware of the potential exposure and risks," he says.
"Offices aren't just within walls anymore," Cyberoam SA country manager, Adrian Anema, notes. He highlights the example of a simple app downloaded to a user's cellphone, which activates malware only when connected to an enterprise laptop or server. "It can get scary," he says. "There are a number of ways an enterprise can be attacked."
Winston Hayden from GRC association ISACA South Africa says South African enterprises have, until recently, been somewhat protected by a lack of high-speed bandwidth. "South Africa's bandwidth constraints shielded us in the past, but with better bandwidth and increasing cloud adoption and Internet use, local enterprises are at greater risk," he says.
Event sponsor Performanta SA's CTO, Enlin Neveling, says the broad threat landscape is putting enormous pressure on security teams. "They can barely keep up with the demands in the new threat landscape. In addition, the cost of security is increasing, so IT has to constantly justify its security spend. Unfortunately, quantifying ROI is not easy. It's rather like insurance - you only see its value if something goes wrong."
Neveling believes successful information security today depends on getting back to basics and optimising existing tools before spending on new solutions. "For example, there's a lot of talk about mobile device management now, but this need not mean reinventing the wheel. Mobile devices are essentially just another endpoint, so if you have the basics right in your endpoint management, you may find that additional investments in mobile device management may not be as high as you first envisage."
Echoing this sentiment, Carel Jansen van Vuuren, business unit manager ICT Security Solutions at Datacentrix, adds: "The product is not as important as what you do with it. Effective information security is not just about technology - enterprises must address the policies, procedures, people, risk environment and compliance in a comprehensive manner. Now that information is the lifeblood of the enterprise, business must play a key role in ensuring information security is prioritised and a proactive, holistic approach is taken."