With the bank failures of recent weeks, more pending
redundancies and a continuation of the downward slide, should we be
concerned about lax security? Is someone minding the store while
all this is going on or should we be doing something more when the
banks are going bust?
Winter has arrived unseasonably early this year challenging
market conditions have brought a
freezing and reassessment of corporate budgets, writes
Peter Drabwell CISSP, European advisory board member at(ISC)2.
Organisational departments face increasing pressure to justify
their value to the business and IT Security is not immune to this
approach.
The value of business assets, (for example, intellectual
property, client data and service availability, managed in-house or
via third parties) does not diminish during a downturn. During such
time, there is an increased emphasis on the identification of key
business assets and the mapping of a formal, consistent, and
proportionate security strategy. This is an opportunity to
demonstrate the value of the security practice by adopting a
standard risk assessment methodology and ensuring that business
assets and effective controls are correctly aligned.
Threats to business assets typically increase during a downturn.
Common sources include disgruntled/disillusioned employees through
careless or deliberate activity, and dedicated employees with an
increased temptation to circumnavigate process controls to win
extra business in a dislocated market. While the latter may be
performed with the greater good in mind, (often be an unforeseen
consequence of staff incentive schemes), such control short cuts
expose the business to unnecessarily high levels of risk. Extra
vigilance, awareness, enhanced employee communication and
inter-team collaboration can help mitigate risk in this area.
Organisations also seek to diversify service offerings to win
new business and guard against overdependence on existing
activities. Risk assessment challenges reflect cross-border data
requirements, operating standards in emerging markets and the
evaluation of new technologies (for example VoIP, virtualisation,
cloud computing), some of which are relatively unproven from a
security perspective. The creation of a security solutions
catalogue, including corporate approved service offerings, costs
and key points of contact can greatly enhance the roll-out of new
services. Data assets are not diminished during a downturn. IT
security should play a fundamental role in risk assessing the
estate, deploying proportionate controls and monitoring their
effectiveness. It should also prepare organisations to take full
advantage of the future opportunities that will inevitably arise
when the markets turn once again.
Read more expert advice from the Computer Weekly Security Think
Tank >>