Security Management under Control (page 1 of 8)

This is being achieved by the deployment of IT technology to the extent that most organisations are now critically dependent upon their IT infrastructure to function.

Ensuring the security of this infrastructure poses a severe challenge and yet many organisations have taken a piecemeal approach to security management. This has resulted in higher costs than necessary, while at the same time poorly implementing controls.

The increasing amount of data held has led governments and regulatory bodies to respond with directives relating to the privacy and confidentiality. The result? Organisations find themselves squeezed between cost control and regulatory compliance.

This paper discusses the business and technology challenges faced by organisations and proposes a new philosophical approach, where business and technology intersect, to address this challenge. This new security management model supports the business imperatives of financial discipline, assuring business continuity, managing operational risk and regulatory compliance.

The model focuses on managing the existing security technologies more effectively rather than adding to or replacing them.

Business Challenges
The key business drivers that make security management important are financial discipline, operational risk and compliance with legal and regulatory requirements.

Financial Discipline
The competitive business environment makes financial discipline a priority for organisations.

Financial discipline is not just about saving costs but also about doing things smarter. Organisations that succeed in achieving financial discipline will be those that survive and grow by providing their products and services more efficiently and more effectively than their competitors.

Financial discipline means managing operations more effectively, making employees more efficient and reducing administrative overheads. For example, in a typical organisation, password and account lockout problems can represent a large proportion (often over 50%) of the help desk load. The need to individually sign-on to multiple applications wastes time. The costs and delays involved in providing access for new employees can be a significant problem in industries with high staff turnover (call centres and retail are good examples).

Operational Risk
Organisations survive in the face of many risks, including market risk and operational risk. Market risk includes for example, investing in products that do not meet the needs of the customers or where competitors provide better or cheaper products. Operational risk covers aspects such as processes being vulnerable to theft, fraud, disruption or mismanagement.

One particular concern is maintaining continuity of critical business services. This is shown in Figure 1 which illustrates the results of a survey of 1209 respondents by Quocirca Ltd on attitudes to IT security [1]. Organisations depend upon their IT infrastructure to operate and this infrastructure is vulnerable in many ways.

These range from simple hardware failure, through mis-operation and mis-configuration to malicious attacks by hackers and computer viruses and the like. In spite of the fact that these risks are well known many organisations do not manage technical vulnerabilities and threats as well as they could - leaving the process under the control of technical staff without a clear understanding of the business priorities.