Security On A Shoestring

Posted on 18. Mar, 2010 by Katonda News Network

Whenever information security is mentioned within most organisations there is a collective groan; the board don’t want to engage, staff don’t want to be encumbered and the IT department sometimes lack the guidance to implement anything effective.

From a security professional’s perspective the most disappointing factor is the board’s unwillingness to participate in this vital part of their business.  Information security is often perceived as a disabler or an unnecessary expense which in turn dissuades business leaders from proper and necessary involvement.  Neither perception is correct; security is not a product it’s a process and can be tailored to meet budget and business need - providing its implementation is proportionate, structured and fully supported by senior management.  Often, the assumption is that protection is only delivered by wholesale security throughout all aspects of the business, so organisations take a chance on never being attacked, preferring no security to the effort required to deliver what they understand as security.

Information is one of an organisation’s biggest assets, comprising the entire business output or the majority of its support.  Without information most businesses are paralysed, resulting in immediate or gradual decline and eventual closure.  It is therefore imperative that all businesses, regardless of their size or their specific output, implement information security measures commensurate with the impact of data loss on their ability to continue trading.  Security must be proportional since imbedding effective security practices within a business requires effort to implement and maintain, and this effort needs support from the very top of the organisation.  Effectiveness of security needs to be judged and agreed as meeting a standard if the measures are to have any meaning outside the organisation.  Traditionally, this has not been cheap, especially since information security entrusts the majority of the protection effort in technology, and the most frequently adopted standards are expensive to implement and subjective in their validation.  Subjectivity introduces an element of chance that investment will not result in certification, which fosters a culture of over-engineered implementation and added expense.

To be attractive, security needs to be cheap to implement, validate, verify and maintain.  But cheap must never mean sub-standard and this is the point at which the balance must be struck.

Sound, clear and endorsed policies are a low-cost way of setting all security onto a firm base. There is little value to investing in technology if no clear idea exists of what it is expected to achieve.  Starting with the basics can negate some of that expensive technology or put it to better use elsewhere, reducing the cost of implementation and maintenance.  All good security, and information security is no exception, must be structured and coherent; security by chance isn’t security, it’s just chance.  It is a tired cliché that a consultant is someone who charges to tell you something you already know; however, just because it’s known doesn’t mean it’s managed.

Small, manageable and clearly articulated steps can deliver security of information to a degree dictated by its value with minimal impact on the business.  Incremental delivery of security measures allows for small, financially constrained organisations to implement security of their information assets as effectively as a global conglomerate.  Rather than the £1000 safe to protect a £10 note approach, workable processes, aligned with the value of the information, are just as effective at providing a secure environment as technology.  Increasingly stringent security increments also offer flexibility for simple expansion to meet new business opportunities as well as adaptation to counter new threats.  Objective validation will also reduce cost, since implementation of measures required by such a standard can be clearly calculated enabling the amount of investment to achieve them to be finely judged.

A means of reducing risks that is effective, manageable, incremental and cheap; anyone on the board interested in information security now?

-- -- By Martyn Smith, Senior Security Consultant, Logically Secure Ltd

Certified Digital Security is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27th – 29th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk