Buy-in needed to boost security
The biggest challenge when deploying an integrated security framework is achieving executive buy-in from top board level, because it has traditionally been outside of business interests.
Justin Williams, senior manager at Ernst & Young, will reveal the best approach to take when deploying security and IT control frameworks, at tomorrow's opening of the ITWeb Security Summit, being held at the Sandton Convention Centre this week.
An information security risk management framework provides structure and acts as a tool for corporate managers to monitor the implementation of a security management system.
Williams says the second biggest challenge IT faces is customising a framework that is appropriate for the organisation, and obtaining consensus from all parties needing to implement the framework. “The final challenge is finding ways in which to motivate or force the organisation to embrace and embed the framework in a sustainable way.”
According to Williams, implementing frameworks has always been an integral part of building an effective security management system.
He explains: “There is growing recognition of this both from an information security and IT governance perspective. The most important factor is related to the more human elements, such as executive buy-in and sponsorship. These alone can either enhance the success of the implementation or totally undermine it.”
[EMBEDDED]Williams points to the King III report released earlier this year, adding that the governance report elevates the IT agenda to executive board level.
“King III specifically requires the implementation of a control framework for IT and the implementation of a security management system. Any organisation wanting to be compliant with King III will need to implement security and control frameworks.”
According to Williams, organisations striving for a consistent and continuous operation of their security environment need a control framework in place. “A once-off project can easily put controls in place. However, to embed them in a consistent manner through the organisation and have them operating in a sustainable manner is almost impossible without a defined framework.”