Checklist for achieving optimal IT security

(21/06/2010)

Like Darwin’s theory, the security industry has evolved totally on the nature of its surroundings. Since, global organisations have spent millions protecting themselves against the fear, uncertainty and doubt (FUD) that comes with threat to IT and Information.

By playing to the negative core of this new threat to existence, the security industry has established itself as the white knight which would defend us against every new threat. Initially, scepticism meant that it was simply a question of whether you believed the FUD or not; did you or didn’t you need information security protection?

Gradually people decided they did, but this evolved rapidly and the need became a standard business requirement. Many questions arose about the level of protection you had – was it sufficient, was it up to date, the most comprehensive, with an increasing band of vendors constantly trying to outdo each other.

The burgeoning world of enterprise software, clever tools that made computers more powerful, in the 1990s, created real fodder for security. As IT and software became more centric to business processes, unauthorised access provided increasingly large opportunities to alter the fate of the business processes and provide access to critical data.

FUD will always lead people to over protect, or to put protection before possibilities. Doing so hinders our organisations’ ability to grow, succeed, survive and develop. The evolution of information threats has accentuated this because it is now an organised threat with malicious intent. The free computer crusaders of the 1980s have long been replaced by serious criminals, whose only goal is money or power. If the industry was founded on fear 20 to 30 years ago, that fear is now on a scale that could never have been foreseen back then. Security has become a major threat to our business, not only due to the criticality of data but also due to its power to make us much more risk averse.

Now more than ever, we are heading for a bi-polar world with an incoming preference and culture of freedom and flexibility lauded over by a heritage of control, lock down and management. How do organisations balance these two critical areas and achieve relative freedom, while maintaining their secure boundaries?

Too much freedom and too little control might realise short term gain for the organisation – fuller collaboration, more productivity, better relationships – but may leave many holes in the organisation’s information security armour, which could easily be its downfall.

Too much control will mean that your workforce is not exploring its full potential and will, by default, severely blinker your organisation to the possibilities that await it. As people drive towards a new freedom of communication and information while organisations pull us back to an ordered and restricted structure, we need to help our future colleagues to define what is not only acceptable and secure, but what is optimal in terms of success and growth.

In the near future, information security will have the power to be more than just an insurance policy. With the controls set correctly, security will be the new rudder that steers the organisation towards increased success and achievement of its business goals. If, on the one hand, insufficient security may make the level of risk outweigh the potential benefits of more open exploration of ideas and information freedom, on the other hand excessive security will stifle innovation and productivity to a point where the workforce cannot move when the competition can. Optimal security will allow as much freedom and exploration as possible without increasing the risk too significantly.

The checklist for achieving optimal IT security:
1. Corporate information security must never be on default full volume; it must initially start at an acceptable level and be increased to the minimum point necessary
2. If your staff morale and performance is affected more by security breaches than it is by lack of information access, then your security measures are too relaxed
3. If the inverse of No. 2 is true then your security measures are too stringent
4. A lesson in trust can be equally, if not more, beneficial to your workforce than a security monitoring system
5. It’s not tomorrow’s modes of communication that are insecure, it is the people who do not understand them well enough
6. Security is there to serve the business; business is not there to serve security
7. Active data, irrespective of how or where it is accessed, is the critical corporate asset. It must be monitored, and, most importantly, managed
8. In no uncertain terms should organisations reduce or forget security, they should however review its value regularly

The threats are changing but so is the role of security. It’s no longer just about protection and locking up your data. It’s going to be about letting data flow as freely as is securely possible to achieve the best economic returns and better interaction with other parties. As new generations with new attitudes enter the workplace we will need to find new answers to different challenges and achieve a much finer balance between fear and risk, and opportunity and openness.

Related topics:  Data management and data security   Security management and policies 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources