Information security managers need to better align themselves with company business goals to help embed security practices in an organisation, according to speakers at InfoSec 2013.
Talking to ComputerworldUK at the event in London, News International CISO Amar Singh said that security managers often fail to successfully engage with the wider organisation, and place too much faith in the latest technological innovation, viewing these security system tools as a "panacea" in protecting against risk.
"I may already be secure with what I have, so just because I have a budget doesn't mean I go out and spend it on something. I believe in tools, but the problem is tools are seen as a panacea," Singh said.
"Do I really need an intrusion detection system? I may get a great offer from IDS suppliers, but what happens after? I have to invest money in implementing IDS, training people to use IDS and so on. On the face of it, it is a great investment, but people don't always think about the cost of operations, and the daily running of the tool. That is why a lot of the time things go wrong, by overcomplicating."
Part of the problem is a lack of understanding of the business goals, and Singh, who is also chair at ISACA, believes that security managers need to emerge from the IT department 'bubble' in order to ensure that a dialogue is maintained around information security with other parts of their company, be it at board level, or with end users.
From an end user perspective, this can mean ensuring that anyone in the organisation is able to approach the CISO or their staff, making it is easier to create awareness around risks faced by an organisation, something that is not necessarily achieved by throwing money at new hardware or software systems, he said.
The threat around information security continues to grow, and for the media industry, information security risks are increasingly significant, as evidenced by the Associated Press Twitter hack this week, which caused US markets to spike temporarily. These sorts of threats of cyber attacks are mounting for all companies across many industries, Singh pointed out. But while there is no silver bullet approach to prevent a successful attack, risks can be mitigated by ensuring that there are strong communications channels with end users.
"The question is, how can you have control of, for example, the AP Twitter account getting hacked? The reality is that there is no way to control it, because you could have accessed it from anywhere - from your mobile, or from any machine on the planet."
"The only way you can influence and reduce the risk is that, if you are the user of the Twitter account, hopefully I would have engaged with you and I would have shared with you the necessity of having strong passwords, and not sharing passwords. Yes you need to invest in tools - but you need to build a culture where everyone talks about information security."
Sign up for CIO Asia eNewsletters.