IT security in the recession

Advertisements

What security challenges do organizations face today?

The focus of security is evolving from protecting assets and reducing risk to enabling business productivity and ensuring compliance. The traditional IT-led approach to security is being replaced by a business led focus on information security.

Organisations operating in an internet oriented world has resulted in technologies evolving more quickly to support business and businesses evolving faster through being enabled by IT. Keeping up with the risks that these new business paradigms pose and neutralising them is difficult given the fact that most consumers, employees and partners are very computer literate.

For example, criminals are targeting organizations in a focused way for financial gain. Executives, employees and customers are potentially exposing themselves through social network sites like Facebook where (for example) all of the published personal data can be correlated with password hint questions.

Many recent stories around security breaches illustrate the pressure within organizations to "get the job done' without reflecting carefully on the consequences of this. Often business processes haven't been in place to ensure good management of information or they have not been robustly enforced.

For global giants  like microsoft these challenges are colossal because they have to operate across different geographies and market sectors, all with their own regulatory requirements.

What impact is the credit crisis having on organizations' approach to security?

The downturn in the economy increases pressure on organizations to become leaner, more competitive and more agile. However it's hard to illustrate a compelling business case for traditional IT Security unless it is linked to revenue generation and not just cost cutting and ensuring against security risks. Other business critical projects often get priority because they have a clearer perceived greater rate of return. Organisations must however remain vigilant in their efforts to be secure. Economic pressures are tough but a major security breach is enough to put an organisation out of business for good.

How should organizations respond to these challenges?

Economic pressures are forcing the CISO role to evolve and become focused on securing the technology to enable the business to succeed. This means looking at security as a 'business service'. For example security can improve integration between suppliers and customers, and allow common access to data in a safe environment. Web technology and identity federation have a strong potential to build organisational performance. In fact, new business models can be enabled directly because of these new technologies.

For example, a retail or telecoms organisation may own its customer relationships, but the service is provided by a partner or supplier. Identity federation enables trust and information sharing to be established throughout the supply chain in order for improved and seamless service delivery.

Mergers and acquisitions also expose a strong need to rationalize processes and IT services to get the expected returns. Identity and access is deeply embedded in business process and there are real gains to be made by adopting best practice and the correct technologies.

Organizations will also look to save costs by outsourcing, but this brings with it new security risks. For example the trend toward visualization and off shoring have increased the volumes of data being transferred externally between organisations. This raises the risk of data being lost or misused, or loss of data access control, so must be mitigated against in security plans.

IT security is becoming business security

IT security needs to be viewed in the context of the whole business rather than focused on a specific technology or process. The security team in an organisation should now engage with the business stakeholders and can discuss how the business can leverage security as an asset. Organizations depend critically upon IT to exist and IT security is becoming more about managing business risk than just operational risk.

IT security needs to be viewed within the bigger picture of aligning IT infrastructure. The objective is to unify and simplify the processes and the technology to better meet the needs of the business to increase agility and reduce cost while complying with the increasing regulatory burden.