Johannesburg, 13 Oct 2010
Events across the globe over the past 18 months have seen internal information security breaches escalate to an unprecedented level. This has forever changed corporate consciousness in the security landscape. Companies must urgently address the situation to protect their information assets and the privacy of their electronic identity.
J2 Software managing director John Mc Loughlin says as the complexity of data and ease of access keeps increasing, now more than ever, companies have a golden opportunity to push information security to the top of their agenda.
"It is more important than ever to ensure that information is protected and risk is minimised, especially considering the ever-changing business environment. Information drives businesses and has become the lifeblood of modern organisations, without it they die."
According to a number of recent studies, the `Insider Threat` has loomed to become the most feared information security risk in most organisations today. Regardless of the technologies and software solutions that an organisation may deploy to mitigate the risk of information security breaches, the critical factor is always people.
He says the only solution is to build information security into the DNA of the organisation and its employees. "Making your people the guardians of your information."
Working with large and small organisations in various sectors, including distribution, precision engineering, pharmaceutical and financial services, it has become evident that only a relatively small number of people are maliciously or intentionally non-compliant with a company`s IT security policy. In the majority of cases it is found that non-compliance results from unintentional ignorance, often fuelled by unsupervised or misguided use of computers.
"Today, the time is right to discuss the major challenges that managers face when attempting to uphold their information security and compliance strategy; it is the perfect time to share experiences and solutions in an aim to help overcome the complexity of these issues," he explains.
Building information security into the DNA of any organisation is the key to achieving compliance and mitigating risk, but it also presents the biggest challenge, especially for large and complex organisations. Even in organisations where other aspects of security are paramount, eg, national security in defence environments, the internal regulation of information security policies can prove to be more difficult to enforce.
The buy-in process needs to start at board level and then progress down to the general employee level. Achieving this is not easy and the challenges differ according to the level of maturity of the organisation. Work still needs to be done at board level to change the attitude that compliance costs money and is akin to buying insurance. If nothing has happened, why buy more protection?
Many organisations are typically seen as seeking the `Magic Bullet`, but are reluctant to adopt measures that are perceived to inhibit business activity. It is often the case that governance, risk and compliance teams, who are not seen to be generating revenue for the core business, are often viewed as `business prevention officers` because the enforcement of policies and procedures is perceived as obstructive, time-consuming and a barrier to generating revenue.
There must be a balance between business risk, business operations and business competitiveness. This also requires the organisation to use tools that are proactive as opposed to reactive.
However, the risk of reputational damage is an extremely powerful factor that all directors want to avoid at all costs. High-level incidents are now reinforcing the compliance message via the `fear factor`. These incidents also illustrate the ongoing reputational and financial damage that results from such incidents. Reputational risk is a factor that is increasingly driving compliance, particularly in the financial services and public sectors.
The importance of the IT security policy document and how it is communicated and enforced is a crucial issue. Most of these documents are too bulky and unmanageable, making them likely to remain unknown and unnoticed. Keeping it `live` and relevant, while communicating the relevance throughout the organisation is the key to achieving the objectives of the document. This proves to be a difficult task, especially when even the authors of the policies can sometimes forget what it contains.
Large organisations are usually divided into departments with associated responsibilities that never `talk` to each other. These silos foster poor communication, as is often the case between the IT department and the board, the audit department and senior management.
Consequently, compliance is often viewed from two or even three opposing perspectives with each party failing to see the other`s point of view, or to be able to effectively communicate risk and consequences. An important factor is the different language and terminology used by the IT and finance departments, which may not be clearly understood by those who need to know.
There are also examples where risk has been communicated, but has been purposely ignored when it is financially advantageous to do so. In these cases, the audit department `red flag` certain suspicious activity to management but is somehow ignored. Reluctance to escalate a known irregularity is highly likely if the irregularity is generating large sums of money.
`Compliance Fatigue` can result from the constant updating and revision of regulatory compliance requirements. The outcome of such fatigue can mean that most people stop paying attention, failing to read, understand or care to follow policy. This is a major challenge for all organisations in the regulated environment.
All of these factors must be taken into account when considering the implementation of a long-term governance, risk and compliance strategy.
Mc Loughlin says risks arise when a company has multiple external providers and none of them meet the same standards of internal compliance and risk assessment, often because they do not face the same regulatory pressure. "This is when trust has to play an important role and the associated risk may be high. Balancing risk and compliance when a large percentage of people working on a project or deal are external, or where aspects of the business are globally outsourced can be problematic."
In order to turn governance, risk and compliance into competitive advantage, it must be perceived and experienced as a `business enabler` as opposed to a function that leads to `business prevention`. Compliance should not lengthen the `time to value` continuum, which is a critical success factor for many bid teams.
For this reason, bid teams often do not include compliance staff and in situations where a complex bid is being put together in a short timeframe, cutting corners is a very attractive option. It is here that the risk management equation comes into its own, where management is often found asking: "Is the cost of non-compliance worth the risk?"
When legislation is amended several times during the process, compliance could very easily become a casualty. Legislation that changes regularly, leaving it open to interpretation and sometimes with a requirement to be implemented across continents, all leads to compliance being viewed as an undesirable overhead.
"With all these challenges, how do they build information security and compliance into the DNA of an organisation? There is a simple answer, it will take some time, effort and commitment from everyone, but for total success - the entire initiative must be led from the top," he says.
The aim should be to get information security awarded the same status as occupational health and safety and corporate social responsibility (CSR) at main board level. This needs to be enforced and managed by well-planned internal structures and processes that are regularly reviewed.
Driving down the cost of compliance is not only the key to competitive advantage, but also to compliance being taken seriously and becoming part of a cost-effective executive risk management strategy. If compliance is too time-consuming and complex it will be ignored or shortcuts will be taken.
Compliance must be turned into competitive advantage whereby the opportunity cost of being compliant is vastly reduced. In order to help achieve this, compliance roles should not be separate, but should be seen as business enablers, integrating the compliance needs of audit and IT and communicating this at a board level.
He says unseen risks cause damage and unfortunately, one cannot manage what one cannot see. "This is a simple phrase to keep in mind when implementing the governance, risk and compliance strategy. Incidents will inevitably occur regardless of effective security measures, but ongoing proactive automated enforcement, staff education and end-user buy-in will minimise the likelihood and impact of unforeseen risks."
When information security is embedded into an organisation`s DNA, compliance not only involves observing the formal rules as laid out in the policy, but also includes observing the informal rules governing circumstances that may not be anticipated. Observing these informal rules will demonstrate that security is well and truly embedded in the organisation`s DNA.
Once this process is initiated, a simple but effective test of how well security is embedded into the DNA can be illustrated by leaving a confidential document on the floor in a common area to see how it is handled by passing staff.
"Employees must be confident in handling situations where they may not have the familiar security parameters around them and the informal rules or corporate morals will kick in automatically," he concludes.
For more information, contact J2 Software on 0861 00 J TWO (5896) or e-mail john@jtwo.co.za.
Share