InfoSec: Understanding business goals is key to embedding company-wide security practices

Too many rely on security tools as a "panacea"

Information security managers need to better align themselves with company business goals to help embed security practices in an organisation, according to speakers at InfoSec 2013.

Talking to ComputerworldUK at the event in London, News International CISO Amar Singh said that security managers often fail to successfully engage with the wider organisation, and place too much faith in the latest technological innovation, viewing these security system tools as a "panacea" in protecting against risk.

"I may already be secure with what I have, so just because I have a budget doesn't mean I go out and spend it on something. I believe in tools, but the problem is tools are seen as a panacea," Singh said.

"Do I really need an intrusion detection system? I may get a great offer from IDS suppliers, but what happens after? I have to invest money in implementing IDS, training people to use IDS and so on. On the face of it, it is a great investment, but people don't always think about the cost of operations, and the daily running of the tool. That is why a lot of the time things go wrong, by overcomplicating."

Part of the problem is a lack of understanding of the business goals, and Singh, who is also chair at ISACA, believes that security managers need to emerge from the IT department 'bubble' in order to ensure that a dialogue is maintained around information security with other parts of their company, be it at board level, or with end users.

From an end user perspective, this can mean ensuring that anyone in the organisation is able to approach the CISO or their staff, making it is easier to create awareness around risks faced by an organisation, something that is not necessarily achieved by throwing money at new hardware or software systems, he said.

The threat around information security continues to grow, and for the media industry, information security risks are increasingly significant, as evidenced by the Associated Press Twitter hack this week, which caused US markets to spike temporarily. These sorts of threats of cyber attacks are mounting for all companies across many industries, Singh pointed out. But while there is no silver bullet approach to prevent a successful attack, risks can be mitigated by ensuring that there are strong communications channels with end users.

"The question is, how can you have control of, for example, the AP Twitter account getting hacked? The reality is that there is no way to control it, because you could have accessed it from anywhere - from your mobile, or from any machine on the planet."

"The only way you can influence and reduce the risk is that, if you are the user of the Twitter account, hopefully I would have engaged with you and I would have shared with you the necessity of having strong passwords, and not sharing passwords. Yes you need to invest in tools - but you need to build a culture where everyone talks about information security."

Also speaking at the InfoSec event at Earl's Court in London as part of a panel discussion on 'Changing perceptions: Embedding information security in the business', head of information security at Manchester Airport Group (MAG), James McKinlay, highlighted the need to "build bridges" with other parts of the organisation and evolve their role within a business.

"Getting involved with people all the way across the business really helps your case when you want support for changing things and getting over the resistance to change," he told an audience of press and other heads of security.

"The world needs to move on from thinking about information security as being computer security. Information security is much wider and has to build bridges with the business."

He added that a more strategic approach in line with other business priorities is needed to ensure information security staff are able to influence risk management across an enterprise: "I don't believe enough people who are leading an information security function have set out a strategy in the style of a paper that has been agreed by the IT director, risk director and laid a business plan aligned to the business goals."

"If you are in a larger organisation it will have a mission and a vision, you should really adopt that sort of approach and put it in a strategy paper. I think this a great way of getting information security embedded in your business practice."

Join the CSO newsletter!

Error: Please check your email address.

Tags infosecNews InternationalISACAsecurityIT Business

More about ISACANews International

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Matthew Finnegan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place