Phillip Whitmore of KPMG suggests another way of viewing information security – as a differentiator for the enterprise. Security can reduce cost and create operational efficiencies, meet compliance and audit needs and enable new business opportunities, says Whitmore, director of security advisory services at the consulting firm.
Whitmore uses the analogy of brakes on cars. The traditionalists will say cars have brakes so they can stop. But brakes allow cars to go fast.
In the same manner, “security allows us to go fast as an organisation”, says Whitmore.
“If we have a secure environment, rather than locking people out, we can bring customers and business partners into our business,” Whitmore told a NetIQ forum in Auckland.
The banking sector harnessed this approach through internet banking and ATMs, he says. These forms of transaction are cheaper than those conducted in the branch. “Having a secure, fast network allowed them to make these cost savings,” he says. This meant not many people were needed in branches, but the savings allowed banks to engage in a new business model – opening on Sundays.
Without a secure environment, you can’t do these B2B and B2C transactions, he says.
At the same time, he says, some commodity service providers have already been using their security features as a “good marketing differentiator”. They show potential new customers why they are better, while using security to improve the relationships with existing customers. Once the organisation has established the customer’s identity and behaviour, for instance, a company can enhance its service by providing vouchers or special offers they know the customer will respond to.
He stresses, though, that network availability is key. If your website is down, the customers will go elsewhere.
However there remain hurdles on how enterprises view security. Most NZ enterprises do not have a dedicated person for security, says Whitmore. “It is a cost, those guys don’t add value - useful but it is a cost,” he says on how companies view the role.
“The common view of security is that it’s all about saying ‘no’,” says Whitmore. This means blocking websites, restricting access to information, and preventing the user of new technologies to save money.
He says security is not saying 'no', but explaining the benefits and the risks.
A starting point for enterprises is to answer questions such as where data is residing, what is the data the organisation is trying to protect, and what is the organisation’s risk appetite for security, and how well it is protecting itself against threats.
He says the same assessment is done when buying new companies. Where do you invest your money, understand your assets, and understand your threats.
You have to align your security conversations to how the business works, he advises. Understand your risk profile, understand what a secure IT environment looks like so when the profile changes, you know a certain kind of hack is happening, and improve time to respond.
He concludes that security is part of IT and non-IT. “It is a business issue not an IT issue.”
He says in New Zealand if company information is breached, there is no legal obligation to report it, but he says the government here and in Australia are looking at having compulsory reporting of security breaches.
“Just because we don’t see it in media a lot does not mean it is not happening,” says Whitmore. The ones that have been reported include incidents involving the ACC, Ministry of Foreign Affairs and Trade, and ATM card skimmers.
Espionage is happening more and more, from competitors, and from political activists, he says. “NZ high profile organisations have been targeted for political motivations,” he says.
Room for improvement
Simon Piff, IDC associate vice president enterprise infrastructure for Asia Pacific, says there are only two kinds of organisations when it comes to security – those that have been hacked or not. He says there will always be another attempt to hack information systems as “there is always a market for information”. He says while discussions on cybercrime were mostly about money, “now it is about data”. “Defacing the website might make you feel good but I will get money when I steal your data and sell it to someone else,” he says.
The nature of hacking has radically changed, Piff says, moving from device to data information. In the past, he says, the key query would be, is the server safe? “Now it is about, what is the value of the data to the organisation.”
Emerging markets that have strong manufacturing opportunities are looking at IP (intellectual property), says Piff. He says that while China gets a lot of the blame, “the only difference is some countries cover their tracks better”.
He says “data harvest” is another form of data loss. He cites, for instance, how enterprises outsource the disposal of their disks. He asks, what is their security guarantee? The discs are “easy pickings” for criminals who will just look for the discarded disks.
The bigger threat, says Piff, is still “Mafia driven” or the organised groups that harvest and resell personal information.
He says the latest IDC ‘IT security health check’ among New Zealand enterprises finds 48 percent of respondents saying the highest level of risk and challenge are internal, and the rest from external.
“We worry about external [risk] because it is unknown,” he says. But internal risks can come from the retrenched work colleague, email about corporate information being shared.
He cites the case of a staff member of one of the largest IT companies who showed him how he was able to access his email account and corporate files five weeks after being fired.
Another interesting insight from the IDC survey was nearly 88 percent of CXOs state they have a formally documented security policy. But less than half - 49 percent – said they do not know if employees are trained in the policy.
Commoditisation of basic IT security features is likewise impacting the way people think about security. “It [security] comes in a box, everybody expects the firewall to be there,” Piff says.
Enterprises must know what needs protection. They need to think about “zones of security”.
“What about data? What do we need to monitor the data? It is the least invested part of the organisation,” he says. For this, he has an explanation. When the network is down, everybody knows it. If storage is down, everybody is [still] on the network. They need to be protected equally, he says.
Follow CIO on
Download CIO for your tablet here.
Click here to subscribe to CIO.
Sign up to receive free CIO newsletters.
Send news tips to email@example.com or @divinap
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.