PHOTO - (from left) Symantec enterprise director for risk and compliance, Asia Pacific and Japan, Eric Lam; and Symantec principal consultant, Asia South region, Nigel Tan.
Managing IT risk and meeting compliance requirements is an increasingly complex task with many companies often displaying security complacency, according to security solutions provider Symantec Malaysia. It has announced a compliance control solutions suite to help organisations cope better with this challenge.
Speaking on 17 February 2012, Symantec principal consultant, Asia South region, Nigel Tan, said: "Managing IT risk and compliance in Malaysia today is not a simple task. With a growing number of business and regulatory drivers and an evolving threat landscape coming together and an array of technology solutions, IT security leaders find themselves at a crossroad in addressing the issues."
"CISOs [chief information security officers] must be able to clearly communicate the state of their constantly changing environment to a range of different stakeholders," said Tan. "As security threats and IT risk management become boardroom-level discussions, security leaders must be able to communicate and prioritise their IT risks in business-relevant terms in order to drive change and accountability."
He said that in common with many different compliance standards, the PCI DSS (payment card industry data security standard) provided best practices for basic security in the financial services industry. "Credit card information and bank account credentials continue to be the top two targets of cyber criminals and 56 percent of global phishing attacks were against banks. From the FSI (financial services industry) perspective, all fraud carries cost."
Tan said that in his experience of consulting with organizations, mistakes most often arose from complacency around security risks. "The impact of such mistakes is large: an example would be an organisation that rolled out a new system without giving sufficient priority to testing due to budget constraints. Security testing is often not prioritised due to short term business decisions (to apparently save costs) over security. The decision then goes on to cost the organisation three or four times more than the amount 'saved'."
Translating IT risk compliance to the boardroom
On credit card risks, Tan said the PCI DSS version 2.0, which has 12 major sections with more than 200 controls, included 135 changes from the earlier version, and was effective from 1 January 2012. "Incentives for organisations (payment card-related) to follow the standard include fines (per record compromised) with increase rates of fines for failed merchants, suspension of privileges to user card brands, as well as loss of brand reputation and partner confidence."
Sign up for CIO Asia eNewsletters.