Q: How much protection is enough? Is there a best practice or "yardstick" where organisations could decide an investment quantum committed to security is sufficient to remain safe?
Sentonas: This is the million-dollar question, you could argue that there is never enough security if your consider the changing threat landscape, ever mobile users connecting with new devices from beyond the corporate boundary, but in reality there is a fine balancing act that needs to be made within every organisation. To remain safe an organisation needs to ensure there is enough security is in place to protect your business's crown jewels, that is to protect your core intellectual property, your brand, your customers and your staff whilst at the same time doing it in a cost model that is in line with the value of your business and what you are trying to protect.
Q: Does business organisations require a chief security information officer? Can they live without one?
Sentonas: The requirement of a Chief Information Security Officer really does depend on the size of the organisation as well as the capability of the organisation. For a small or medium business, the luxury of having a CISO may not necessarily be possible; for a larger organisation or government body, the role today is critical.
What we do see today across every organisation is the rise of the security obligated executive, that is, a business owner, senior manager, through to all executive staff being responsible for protecting the organisation, its users, intellectual property and importantly its brand reputation and customers.
You can argue that even with a CISO, if the entire organisation is not taking security personally, then having one person responsible is no guarantee of success and you will always have one person trying to push a security program across the organisation. Without a CISO, you run the risk of having a security program without an owner, without someone motivated to ensure the success, which may result in security becoming an afterthought. If you consider the amount of public data breaches in 2013, it is a brave organisation that does not appoint a security leader and push out a program across the entire organisation.
Q: One big aspect often overlooked is that of user awareness and user training on practising "safe" computing. Given trends like BYOD and mobile computing, how should organisations be prepared for such new threat landscapes?
Sentonas: I would definitely agree, this is one of the most important aspects of security that is missed, or not given enough focus within many organisations. There is a saying that a computer or network is only as secure as its weakest link and it is important that the staff within an organisation are not that link. Many organisations today are rolling out cyber security programs that run every year to cover topics that range from a threat landscape update with tools and techniques to defend yourself through to data privacy and how to get the best from social media safely and securely.
Sign up for CIO Asia eNewsletters.