The task of managing risk has changed dramatically,
writes Raj Samani of ISSA UK. There was a time
whencompliancewas unheard of (so to
speak),securitymeant switching off the
modems, andoperabilityinvolved leaving a big
lorry in the car park for a week to verify that back-ups
worked.
This tranquil world is long gone. Projects and budgets are
dictated by a need to comply, systems operability demands 24-hour
uptime for fear of loss of significant revenue, and the number of
risks affecting an organisation change on a daily basis.
Equally confusing is how compliance, security and operability
are so interlinked that a potential change in one can dramatically
affect another.
Take the
PCI standards for companies processing credit cards. Complying
with such standards should result in a greater security for an
organisation. But such standards do not necessarily mean that an
organisation cannot be more secure without compliance.
So why is compliance introduced? Largely because companies or
individuals fail to do the right thing, so regulations or new laws
are passed to force them to act correctly.
24/7 imperative
What remains constant is operability. Without an available
system, surely the business will grind to halt?
But as we are all aware, there is nothing cut and dried about
making business decisions, and what has prevailed is the need to
balance security and operability. Although the introduction of more
compliance requirements has taken some of the guesswork out of
defining the line between the two, this line is not fixed. The
exact balance will vary, not only from industry to industry, from
company to company, and from department to department, but even on
what phase a particular project may be in.
This blurry line can even change due to personal circumstances.
Ask a security professional the number one systems priority for any
given organisation and they will say "security". But ask them again
when they are a patient at a hospital whose systems will assist
their rehabilitation, and their perception of risk may well change
and they will answer "operability".
Equally, if you asked the same question of Société Générale
executives shortly after
a rogue trader lost the business £3.7bn after circumventing
internal controls, then "security (and a lot more of it)" might be
their answer. But ask them just before the annual bonuses are to be
decided and they might just go for operability.
The future for business is likely to change further, as will
compliance requirements, and with the potential threat of custodial
sentences for non-compliance, this area will take on more
importance. Likewise, with the increasing reliance on the internet
to provide revenue, operability will remain high on the agenda. The
demand for security will therefore rise to such an extent that the
demand for good security professionals will far outstrip
supply.
Raj Samani is vice-president for communications at ISSA UK,
and is speaking in the keynote programme atInfosecurity
Europe
Risk
management blog >>