Enterprise information security must include corporate governance and enterprise risk in order to be taken seriously.
This is according to Pierre Noel, information security and risk management evangelist for the IBM Group, who spoke at ITWeb Security Summit 2008, in Midrand, this week.
"Enterprise security has more to do with risk management than network management," he said.
Noel explained that having the best technologically competent IT team is of little relevance to security. "They will look at security from a technical point of view. What we need to keep in mind is that behind every security incident there is a human being."
According to Noel, executives are overwhelmed by the acronyms and jargon the IT department uses when speaking about security. "If you want your IT department to be known as more than just 'the AV guys`, elevate the message of risk, mitigating controls and business impacts rather than firewalls and PKI [public key infrastructure]."
Noel believes that if this approach is taken, it will attract more executive attention and security will receive a more lucrative budget.
Many security breaches can be attributed to privileged users within the organisation, noted Noel. "Many violations happen accidentally, but a large percentage is deliberate."
Reasons for these kinds of security violations include improper change management, insufficient segregation of duties, excessive user access and a lack of access controls.
According to Markus Nispel, director of solution architecture at Enterasys Networks, the corporate network needs to be protected from not only outside attacks, but from the inside as well.
Network access control (NAC), which he describes as "user-focused technology that authorises a user or device and allows them access to certain resources", is of paramount importance to prevent internal violations.
"One of the biggest drivers for deploying NAC is the ability to control network usage. We need to know who is doing what," he said.
Other drivers are workstation security, separating regular and guest users, securing non-workstation end systems, as well as corporate and regulatory compliance issues.
"Network access security provides continuous business protection."
Share
