We live in a market driven economy and the link between security expenditure and its return on investment is tenuous. Information security gives a form of insurance: protecting the assets, reputation, customer confidence, brand and, increasingly, the physical security of the business as more things become internet connected.
While these things are the most valuable business assets, they are hard to quantify. Neither the goals nor the route to achieving security are clear. Total security is impossible as people are a major component in the risk scenario.
In addition the IT infrastructure in almost all businesses is vast and not fully documented. The threat environment is continually changing and becoming more menacing, coming from sources as diverse as foreign powers and disaffected employees.
There are many laws and regulations emerging in this area, notably data protection legislation, but these set objectives and the route to delivering the requirements is not defined.
Security strategy in a business can only be delivered in an efficient way if there is a top-down strategy driven by the board and structured along risk management lines. This won’t guarantee success, but it will help to clarify policies and should be flexible enough to accommodate changing circumstances.
Security is subordinate to the business
In general the business decisions relating to information security spending should be made on the basis of what level of risk is acceptable, and what is the most efficient way of achieving the necessary risk mitigation. IT security is a necessary burden for most organisations.
Customers, partners, staff, suppliers and other stakeholders expect an organisation to be secure and it is, therefore, hard to sell security as a value-added commodity. However, the cost to the business of not providing effective security is enormous, possibly ruinous.
Despite this, security professionals are always under pressure to cut costs. The potential risk in the information security field is hard to quantify. From an actuarial point of view, rare major losses are harder to estimate than more frequent lower level losses. The biggest single risk for most businesses is brand degradation, and this is particularly hard to quantify.
The cost of a security breach is often borne by a party other than the one that was responsible for the lapse. For example, individuals bear the consequences of leakage of their personal data, and are only partly compensated by the organisation that leaked them.
Security must therefore be viewed as a component within the risk management infrastructure of the organisation. The level of security should be determined by the needs of the business and in relation to the provision of all forms of risk mitigation. Various frameworks such as the ISO2700n family of standards, COBIT and its extended form RiskIT help to steer these deliberations, but judgements remain subjective.
On a positive note, the growing importance of online transactions, the increase of regulatory compliance (including initiatives such as those of the payment card industry), and increasing awareness of cyber risks have increased the awareness of business leaders of the need for security.
You can’t secure what you can’t manage
Securing IT systems is an integral part of managing IT systems. The first requirement to secure something is to have an accurate record of what you have, how it is being used, and what it is being used for.
Most organisations struggle to stay up-to-date with the status of each of their servers, let alone with user PCs spread across multiple sites and countries. Simply managing all their digital certificates is challenging.
Furthermore an integral part of any IT system is the users, who may be employees, subcontractors, suppliers, customers, partners or others. All of them are human and therefore unpredictable. The human risk is most evident in protecting removable storage and mobile devices.
If we ignore people who deliberately seek to subvert security, others will make mistakes or fall for some form of social engineering scam. The corporate infrastructure is increasingly incorporating personal devices that are harder to manage and secure than corporate-owned devices.
Who is responsible?
IT security needs to be driven by the top level management in an organisation, and in most cases there is now a policy framework coming from the board. However, this is only the first step. Differences in the vocabularies used by the business and the IT department have impeded communication down the line.
Information security is a requirement on people throughout an organisation and the deployment of IT security products is often delegated to departmental level. For example, marketing or business development may well be responsible for corporate websites. IT departments generally run data centres.
Identity management and user access controls often come under the remit of the HR department. This is a problem because information security needs to be viewed from a holistic perspective in order to identify residual levels of risk resulting from policies and practices in each area of the corporate operations.
Where does the threat come from?
There is a wide gulf between headline grabbing stories such as the Sony Studios hack and a typical cyber-attack. Most incidents are the result of mistakes or random malware attacks.
However, the deliberate attacks have the most serious consequences.
Deliberate attacks are planned, determined and often long-term. Such attacks may come from disaffected employees and former employees, competitors, criminal gangs usually intent on fraud or theft, or governments.
The criminal gangs are the main danger for most businesses. Attacks can involve a multi-stage process that starts with a social engineering approach aimed at stealing key passwords and user credentials for use in subsequent stages of the attack. In some cases spyware is downloaded into the organisation.
However, ultimately attackers are driven by their own need for profit. This can come from a few high value information assets, a multitude of relatively mundane information assets, or from inflicting damage on an opponent.
Security management is a developing area for product support. The higher levels of security management have to dovetail into business process frameworks and risk management. The intermediate layers include monitoring and managing the configuration of IT infrastructure, and the security information and event management (SIEM) field.
While most compliance regulations are expressed in business terms (with the notable exception of the payment card Industry data security standard), the delivery of these requirements necessitates numerous security controls. This means that the reports available from security management products are crucial to satisfying compliance requirements. However, they do need to be re-presented in a format required by each set of regulations.
When it comes to deploying security products it is helpful to get products that are well integrated with each other, even if this means selecting on a basis of fit-for purpose, rather than best of breed. Many organisations are seeking to rationalise their suppliers to help achieve this, as well as to get better contractual terms.