From IT Security to Information Security — How Technology Is Not The Greatest Challenge in Protecting Your Information Online

Technology Is Not The Greatest Challenge in Protecting Your Information Online

Michael Rothery, First Assistance Secretary for National Security Resilience Policy at Department of the Attorney General says that in order to deliver effective security and risk management the key question is "Who owns the risk?".

The challenge, in Rothery's view is that senior executives think that this is a technical problem so they appoint technical experts. When looking at the Corporations Act, he says that this is a fair translation of how to act upon information risks.

However, "the risk owner is the whole of the enterprise", he said. And that means taking a different view that is not solely focussed on the technical elements. This is because it is not well understood that the information and its security is a corporate conversation and not just a technical one.

For many senior executives, Rothery said that they believe that having delegated the responsibility to experts that their regulatory and statutory obligations are being met.

From conversations he has had with CIOs across different industries, Rothery says that they often feel caught in an impossible situation. The business is hungry for "increasing convenience, reaching customers online, bring your own device for staff, the cloud and wireless hotspots".

But in the same conversations, CIOs are being asked to cut budgets and deliver all this with improved security.

"The key fundamental thing we notice in the companies that have a relatively high level of cybersecurity maturity is this issue of understanding the value of information", he said.

"The easiest way to get the attention of boards is if you can monetise the value of information", he added. This means the CIO and the rest of the business are talking the same language - the "language of dollars".

Read more: Security threats through the Cloud

One of the challenges for CIOs is that traditionally the value of IT has been measured by the functionality of systems rather than the data they handle.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Balancing act between confidentiality, integrity and availability. Information can be private today, public tomorrow but there is a need to ensure it isn't tampered with once it's in the public domain. Rothery believes that putting the data conversation in these terms can overcome the gap between the technology and business functions.

This leads to the establishment of an "information ecosystem". Rothery said, "We're not hearing IT security, we're not hearing perimeter. We're hearing about information and information ecosystem".

By thinking in these terms, rather than in system or security terms, the message of security can be aligned the more closely with the operation of the business.

One of the other issues raised by Rothery was how much of the data businesses rely on is no longer held strictly within the central systems of the business. Citing the example of an airline, ticketing systems, catering services, air traffic control, luggage handling and many other systems are handled by parties that work with the airline.

These sorts of close alliances are critical to many organisations. And the increased focus on information security is likely to lead to changes in how service agreements are negotiated and maintained.

Rothery said that agreements won’t just be about compliance with security requirements but will involve opening systems so that partners can see into each other's systems. For example, some customers might require access directly into service provider systems in order to see that appropriate information security measures are in place rather than simply accepting the service provider's word.

In many cases, Rothery said that SMBs felt compelled to sign contracts with security provisions but lack the capability to deliver on those obligations. This might lead to new models where the customer provides the SMB with a development environment or security expertise in order to access the SMB's services or capabilities.

This will require increasing maturity as parties become more engaged in the information ecosystem according to Rothery. This extends to cloud providers who, he says, are improving in their openness. Whereas the locations of data centres and how systems were configured were closely held secrets in the past, many cloud providers are now more open and will share that information with customers.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags Michael Rothery(security Policy at Department of the Attorney General)smbsenior executivesrisk managementdata centrescybersecuritEnexCIOinformation ecosystemCSO Australiacloud providerswireless hotspotstechnologydata conversation

More about CSODepartment of the Attorney GeneralEnex TestLabResilienceTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts