Taking Aim at Security

Even though information security has been a recent focal point in the news and has gained much attention in large organizations over the past few years, most businesses still have a long way to go before they can be reasonably comfortable with the security of their information systems and critical data.

Security has become such a complex set of issues that it can no longer be categorized into silos of physical and cyber threats. Only by taking a holistic approach to managing security enterprise-wide, can companies protect themselves and their interests.

When it comes to implementing security solutions, a lot of emphasis has been placed on processes and technology - and not enough has been placed on people. Effective security can only be achieved if everyone involved (executives, IT, and all levels of administrative staff) complies with corporate policies and make educated decisions. Focusing on the human aspects of physical and information security, which is always the weakest link in the security chain, is a key issue companies need to address first, and often.

Organizations need to develop a holistic approach to security that will result in systems that are secure, practical, user-friendly, and also motivate employees to behave in a security-conscious fashion. Motivation of an end-user with respect to information security is a critical factor. Security without motivating the end-user is like driving a car without turning on the engine.

The first step is to start with a set of goals for guiding development and implementation of security systems, policies, procedures, and processes. Security is a mission-critical concern that will only increase in profile. Some companies realizing this growing area of concern have created a management group headed by a chief security officer (CSO), who has responsibility for information system security. The CSO ensures that proper funding and resources are invested to make security an integral rather than an ancillary part of the company’s regular risk management processes and procedures.

But before embracing a holistic approach to security, companies first need to admit that they are at indeed at risk. The two biggest myths around security are: “It’s never going to happen to me” and “I can trust my employees.” For these reasons, traditional security mechanisms have focused almost entirely on technology solutions. Only in recent years have there been concerted attempts at taking human factors issues into consideration. There is a growing recognition of the fact that humans are the weakest link in the security chain and consequently the main cause of security breaches. In addition, hackers and industrial spies now tend to target the human weaknesses of the security system before they target the technical ones.

An effective security program must integrate policy with process and automated enforcement of security controls to continually reduce risk. Many security professionals focus solely on managing individual projects and the issues at hand, and fail to establish a leadership role in IT risk management and strategic planning. They have been content in implementing security on a piecemeal basis - securing a network with a firewall, protecting a subnet with a router, putting anti-virus software on a computer, and so on. But it’s obvious that approach hasn’t worked.

In order for information security to work effectively it has to be planned, implemented, and maintained as a complete system with all components working together as each component depends on the other.

Firewalls, for example, can provide a false sense of security. Yes, it is mandatory to protect organizations with a good firewall and other security solutions, but what really matters is that these should be backed by adequate security policies and procedures based on the threat risk assessment for the organization, and on industry norms. Without a strong emphasis on the human aspects of security the expenditure on hardware and software will be wasted. Poor passwords make it easy for an intruder to masquerade as a legitimate user. The security system is still functioning properly but it has been circumvented by poor human practices.

In other words, security cannot be achieved by technology alone. It must become a core part of organizational culture and business process. Technology, behaviour, policy, and processes are all equally important in creating a holistic approach to security.

Determining the business tolerance for risk; identifying and communicating security risks and risk mitigation options; and articulating security program costs and benefits to key individuals in IT and business management ahead of time are best practices that should become corporate mandates.

The holistic approach to security is still a tough sell to many companies. They tend to be more comfortable with traditional, physical approach because assets are more tangible than information, and measures to protect them-such as padlocking all the gates to a plant-are easy to concoct and implement.

The evidence is increasingly clear that maintenance of information security is a never-ending battle against nefarious forces that see it as a game. For every step a corporation takes to increase its security, the other side comes up with something to counter it. The result is an escalating “arms race” that companies cannot afford to lose.

To conclude, security must be viewed and implemented in a holistic manner. It has to start from the top and should be embedded in every business process. Security is not only technical solutions, but also includes the mind-set of each company employee. If a company can make each employee think and act like a security officer, then the organization has succeeded in adapting a corporate culture that truly values security as a top priority.