Despite a continuing string of high-profile information security breaches, many organizations still have a very poor understanding that they will certainly be subject to similar failures. There is also a lack of planning regarding how to react when these events occur. CEOs and executive boards need to ensure that information security is consistently on their agenda, and that there is a clear mandate at a senior level to assess risk, report status, and respond to incidents.
Certainly, most businesses will have the appropriate security solutions in place, and can point to malware detection, firewalls, email security measures, identity and access management, security intelligence, and any number of other elements designed to keep attacks at bay. However, the majority of security breaches are attributable to failure of process, rather than of technology, and organizations need to take an end-to-end business-focused view of their security planning and response.
It is interesting to compare the ways in which we treat financial and information resources within our organizations. The CFO has an absolute mandate to put in place the checks and controls that ensure financial resources are monitored and accounted for to the last penny. This culture is second nature to all employees, in that we know that accurate billing must take place, expenses must be accounted for, and the defined procedures are followed to the letter.
Contrast this with the way that information is treated in most organizations. There is rarely anyone with a clear mandate at a senior level to manage and safeguard information, and very few controls in place that monitor information in any way that mirrors these financial processes. The security measures attempt to erect fences, but they don’t track what happens to the assets that sit behind them. This is somewhat akin to locking the till, but never bothering to count what is in it.
Organizations must therefore put greater emphasis on the value of information assets and the processes in place to protect them, as well as the awareness of these controls by all employees and stakeholders. They must be able to report swiftly, accurately, and simply on the status of these assets and their controls at board level, giving a clear picture of information security risk and response in the context of business operations.
Straight Talk is a weekly briefing from the desk of the Chief Research Officer. To receive this newsletter by email, please contact us.