Risky business

Traditionally, IT and data security has been the responsibility of the IT department.

Company management boards have not, as a rule, got involved in technology, and until now have been ill-equipped to understand and ask the correct questions concerning security. Nor have IT directors spoken the language of the board.

But things are changing.

External regulatory and compliance pressures are driving companies to view security from the perspective of business risk, particularly if the main board directors are liable.

Keith Foggon, consultant at security expert DNS, says the steps that companies can voluntarily take are being eroded as legislative and statutory requirements become more focused on the pursuit of good information security practices.

IT security is an important component of overall organisational security, but that does not mean the IT department should be responsible.

According to David Porter, senior fraud expert at intelligence consultant Detica, responsibility for security ought to rest outside the IT department.

‘All too often IT personnel holding the keys and access privileges can be the source of security violations as a result of greed, bribery, corruption or extortion,’ he says.

Only by addressing security from the aspect of risk can an IT director easily convince the board that information security is not just an IT issue.

Failure to adopt good security practices will ultimately lead to the downfall of any organisation as, apart from any potential financial loss, the damage to customer confidence and an inability to adhere to statutory rules will render any organisation unable to trade.

Present the cold hard facts to the board, is the sound advice from Nicky Springle, IT manager at shaving and skincare expert, King of Shaves.

‘Telling them about the problem is one thing, showing them the data to back this up makes it impossible to ignore,’ he says.

‘Often, IT decisions are finance-led, therefore it really is important to ensure you fully recognise the real cost to the business of a security breach.’

A good place to start is by focusing on the value of business information.

Organisations of all sizes invest in complex IT architectures to support their business. Now, they need to acknowledge that their information capital is more valuable to them than any of these technologies and other tangible assets.

Toby Clarke, group IT director at insurance expert Abbey Protection Group, believes that good security should be embedded into the culture of the company.

‘Our security guidelines are comprehensive, and part of our terms and conditions so we get people to buy into it from day one,’ he says. ‘We also have a pop-up box that reminds our users what they have agreed to. It is about achieving a balance between usability and security.’

Too many organisations respond to security needs in reactive and tactical ways. Treating information assurance as a strategic issue with leadership and support from the board should involve taking a broad perspective of the whole topic.

Organisations have to start with business context, taking into account the external pressures from legislative, regulatory and corporate governance requirements, and then balance that against the level of risk the management is prepared to accept. In this context, it is possible to make a broad, top-down assessment that highlights the key risks that really matter to the board and the company.

‘You have to identify what your potential risks are before you can do anything about them,’ says Clarke. ‘And that is an uphill struggle that is only going to get steeper.’

Biometrics to tighten security

Making security work for you