The common thread running through this year's Computerworld Security Summit is the urgent need to align IT security goals with business goals. Otherwise, failure is guaranteed.
Aligning Security to Business
There's no running from hearing all the gory details of enterprise breaches and personal losses whenever there is any form of known security breach. After all, who needs the publicity that one's security is as leaky as a piece of cleaning foam?
This year's Security Summit, held on 12 April at the Raffles City Convention Centre, has seen some familiar faces and new ones, but besides the usual rhetoric, one good advice from the security experts is to gain buy-in not just from users themselves but from business units who are perhaps IT's best friends in achieving a water-tight security implementation.
The security gap
Gerry Chng, Partner, Ernst & Young Advisory Pte Ltd, delivered his keynote address by giving an overview of his organisation's "2012 Global Information Security Survey", with the title called "Fighting to close the gap".
Photo: Gerry Chng
The annual survey was launched 15 years ago, and over the years, some clear trends have emerged from the annual study, said Chng. "This is the 15th year of the survey, covering over 64 countries and garnering more than 1,800 responses from CIOs, CISOs and IT managers giving responses. From the studies conducted, we observed that there are three marked stages of information security."
In the beginning, compliance was the driving force behind security strategies. Regulatory compliance to the Sarbanes Oxley Act of 2002 and a number of other laws, for example, necessitated putting IT controls in place, so much so that sometimes, too much control impeded business growth.
"Then came the financial crisis and a lot of controls were redundant," he said. "Manual controls and other checks and balances became very costly to maintain in the name of compliance—it became very costly to sustain compliance on an annual basis."
The time was ripe for automated compliance tools to come into existence. The so-called GRC (governance, risk and compliance) solutions were seen as necessary to drive organisations to do the right things, but were too costly.
"The third era is where we're bombarded by various new technologies, mobile devices, and cloud services. Here is where we face more disruptions and new challenges to cope with changing security threats," Chng said. For instance, the latest malware is non-discreet, and "it attacks whatever is available. It is hard to detect, it works slowly, and it lies below the radar. It uses zero-day attacks, i.e. without warning, and with new technologies like mobility coming into place, it poses new security threats to every business organisation, not just to individuals. That's shaking up the whole thinking behind security."
Sign up for CIO Asia eNewsletters.