IT Security Must Enable Business, Not Disable It

As well as best practice there is also the question of training. You cannot drive a car without a driving license – and yet there is no legal requirement for someone who is responsible for the personal data of thousands of people to have any training or qualification. Once again there are many existing programmes that cover this need. These include: ISACA (Information Systems Audit and Controls Association) and ISC2 (the International Information Systems Security Certification Consortium).

The changing Role of the CISO

Economic pressures such as the credit crisis are forcing the CISO (chief information security officer) role to evolve and become focused on securing the technology to enable the business to succeed. This means looking at security as a “business service”. For example, information security can improve integration between suppliers and customers, and allow common access to data in a safe environment. Web technology and identity federation have great potential to build organisational performance. In fact, new business models can be enabled directly because of these new technologies.

For example, a retail or telecoms organisation may own its customer relationships, but the service is provided by a partner or supplier. Identity federation enables trust and information sharing to be established throughout the supply chain in order for improved and seamless service delivery.

Mergers and acquisitions also expose a strong need to rationalise processes and IT services, to get the expected returns. “Identity and access” is deeply embedded in business process, and there are real gains to be made by adopting best practice and the correct technologies.

Organisations will also look to save costs by outsourcing, but this brings with it new security risks. For example, the trend toward virtualisation and offshoring has increased the volumes of data being transferred externally between organisations. This raises the risk of data being lost or misused, and must be mitigated using information security techniques.

IT Security is now business security

IT security needs to be viewed in the context of the whole business, rather than focused on a specific technology or process. The security team in an organisation should engage with the business stakeholders to focus on how the business can use information security as an asset. Organisations depend critically upon IT to exist, and IT security is becoming more about managing business risk than just operational risk

IT security needs to be viewed within the bigger picture of aligning IT infrastructure. The objective is to unify and simplify the processes and the technology, to better meet the needs of the business, to increase agility and reduce cost, while complying with the increasing regulatory burden.

Mike Small CITP, FBCS, is a Principal Consultant, with CA