Nevertheless, cyclic certainty has allowed businesses to plan for the good times and the bad. To reap the rewards of the good times, and ride out the bad.
However, blue chip companies now have to face the fact that cyclic certainties have disappeared – almost undoubtedly forever. The global village, the global economy and mass instantaneous worldwide communications have all combined to increase economic volatility. With the world itself in such a volatile state, it comes as little surprise to learn that the old and trusted economic cycles have been replaced by violent swings.
The Information Age
Information is now recognised as a major – if not the major – asset owned by any organisation. The criminals have cottoned-on to this, such that threats to (and attacks on) corporate data are increasing daily. The Internet was designed to be an open network available to all, but any reliance on a global data network that's accessible to everyone – friend and foe alike – can do little but leave every organisation vulnerable.
That vulnerability is widespread and increasing, whether coming from internal or external sources. Denial of service attacks can prevent an enterprise from using its own data. Individual viruses may lead to the widespread loss of crucial information. Successful hacking attacks might compromise the integrity of all information, while Trojan horses could steal confidential data. Let's not forget that web site defacement is also a sure way to destroy a company's good name. To be honest, the list just keeps on growing and growing.
The effect of a serious breach of information security is primarily two-fold. There's a cost in financial terms, and a cost that centres on reputational damage. That said, the effects can be much worse.
Our own Department of Trade and Industry has demonstrated on more than one occasion that the majority of companies who lose access to their computer systems for just a few days will not merely find it difficult to recover. They'll probably not be able to survive.
One thing is clear, then. The information security world is every bit as volatile as the wider economic world. With that in mind, companies need to be as flexible and adaptive in their attitudes towards security as they do with their overall business strategies.
Easier said than done. Information security is a complex and intangible subject. There are few rules. One rule of thumb that's often quoted is that you should never spend more on information security than the value of the information which you intend to protect. However, this is little more than a value judgement that doesn't tell you where investments should – and need to – be made. There is also no basis for establishing a return on your investment.
How, then, might we bring the concept of adaptivity into security?
Designed specifically for security and IT directors, the Adaptive Security Index (ASI) – devised jointly by Cap Gemini Ernst & Young and Cisco Systems – is a quantitative method for determining an organisation's security capabilities. Unlike other methodologies that often focus solely on the technical aspects of security, the ASI measures an organisation's approach to the security problem through the application of two concepts in a three-by-three matrix (see figure 1): mindset and execution as delivered at the overall business level (as opposed to merely being within the IT and Security Departments).
Mindset and Execution explained
The terms 'mindset' and 'execution' are largely self-explanatory. Put very simply, mindset is a measure of any given company's attitude towards information security, while execution is a measure of the manner in which security mechanisms are delivered.
As you can see, the three categories on the mindset axis are: tactical, business aligned and ecosystem integrated. Those on the execution axis are: reactive, managed and agile. Put together, the matrix can highlight where an enterprise currently sits within the ASI, and can demonstrate what more needs to be done to improve that position.
A tactically-managed reactive security philosophy may not be the optimal approach, but is still very common and appropriate for some businesses. Similarly, a philosophy that has security integrated into the business ecosystem and delivered in an agile manner is the most effective, but may also imply too much security investment for some businesses. What's really needed is a way for an organisation to assess its security capabilities and compare them to an industry benchmark.
With this in mind, Cap Gemini Ernst & Young and Cisco Systems have recently taken their ASI and applied it to the real world. The alliance conducted a major survey of 270 companies from North America and Europe, providing a snapshot of the current state of the effectiveness of information security around the world. It's a barometer of business attitudes to security, showing both where we are and what needs to be improved upon.
From an analysis of the survey, the two companies are able to make a series of recommendations designed to improve the security capabilities of business in general, and specific areas in particular. Not only were the companies surveyed split evenly between North America and Europe, they were also split between financial concerns, media companies, industrial and retail organisations and a host of other business areas. And there were variations to be found in security practices both geographically and vertically.
Security can only be truly adaptive when it has the capability to rapidly respond to changes in business environments and threat levels. Achieving this position requires that security becomes a business issue handled at Board level without losing the flex
Generally speaking, North America is more advanced in its path towards adaptive security than Europe. For example, 36% of those European concerns surveyed consider security to be a purely technical issue, while less than 10% of North American firms view it in the same manner. However, 88% of North American outfits perceive security as being a business issue, or indeed a business issue that's solved by Information Technology. Less than half that number of European companies view it in a similar light.
Vertical markets show a similar disparity, with financial companies generally more advanced in their attitudes towards – and their implementation of – adaptive security.
What is Best Practice?
Security can only be truly adaptive when it has the capability to rapidly respond to changes in business environments and threat levels. Achieving this position requires that security becomes a business issue handled at Board level without losing the flexibility of IT-controlled implementation.
The path to adaptive security is really nothing less than the complete integration of security within the business ecosystem, as measured by the ASI. This means that security must be integrated into – and involve – every aspect of the business. The ASI can highlight what needs to be done by the Board (ie those executive officers and directors with direct responsibility for running the business) and the Security Department to improve security at every level.
Don't neglect the online image
We've already discussed the truism that global economic volatility can affect share values overnight by weakening general trust levels. Information security issues can do the same to individual companies. At a time when business is increasingly transacted online, so a company's online image will assume an equally increasing importance. And that image is constantly under threat from hackers, crackers and all manner of cyber criminals.
It's important that shareholders are able to trust that the Board is taking all reasonable precautions to protect the security of company information. Without that trust they're likely to move their investment to a safer location.
The Board must be seen to protect information, and can do so by:
- executing security planning across the organisation – a security 'Centre of Expertise' is needed to ensure that business systems and security needs are correctly aligned;
- developing an integrated and active security infrastructure – without an integrated security infrastructure, exploitable weaknesses may exist between the different security elements;
- setting and managing return on investment on any security expenditure – only by controlling and managing return on investment for expenditure can the company be certain that it has the right level of security for the risk(s) involved;
- operating at a known (and acceptable) level of risk – risk management techniques should be employed to discover the true level of risk;
- managing compliance and conformance with external regulations – there's an ever-increasing volume of legal requirements concerning online business, and conformance with those requirements must be properly managed at all times;
- implementing security governance – the basis of good security is a relevant and enforced company security policy;
- developing a security-aware culture – people are the weakest link in any security chain, so there must be a continuous programme of staff awareness training.
The technical manager's role
The term 'technical management' really refers to those members of staff with direct responsibility for implementing and maintaining the IT aspects of security (ie the IT director, network managers, security manager and security officers). There is a definitive way in which they may provide an integrated IT security infrastructure that can support cross-functional applications and business processes with the ability to roll-out new services to employees, partners, suppliers and customers.
In essence, there are three fundamental issues that can be drawn from the ASI: the need to align business and IT security objectives, the need to take an holistic rather than piecemeal approach to security implementation and the requirement to treat security as a process that demands continuous reassessment.
Security must be viewed within the company as a business-critical issue. In other words, business managers must start to consider security as a business issue. The converse is equally true, in that your IT manager(s) must start to consider business as a security issue. This will not be easy, particularly given the fact that many on home shores believe security to be primarily an IT issue. However, there will be rewards if your firm gets the balance right.
For instance, the IT or security manager that becomes more involved and embroiled with the rest of the business will be taken more seriously. Crucially, the IT or security manager that realises security is the countermeasure to risk – and that risk is a business issue that can be measured and quantified in business terms with risk analysis and risk measurement, as well as return on investment and annual loss expectancy – is far more likely to receive the necessary budget from the Board for implementing their own technical solutions.
IT and security managers must reach out to align their security interests with business just as much as the business managers must seek to align their business interests with those of security. In short, security accountability in every organisation ought to be shared across business and IT.
A cycle of investment
The whole basis of the ASI is built on the premise of a volatile world. That volatility cannot be denied or discounted.
Always remember that security operations and control must be carried out with the backbone of a continuous cycle of assessment, evolution and re-assessment in order to meet and resolve changes in both your organisation's own business environment, and the landscape of security threats.
Source
SMT
No comments yet