How can security play a central role in enabling business
growth?
The name "Paul Moore" is not synonymous with information
security, but perhaps it should be,writes Raj Samani
ofISSA
UK.
Previously head of risk for HBOS,
Moore
told the BBC's Newsnight: "The bank was moving too fast and I
raised those challenges very strongly at board level. I also raised
issues of cultural indisposition to challenge and inappropriate
behaviours."
He added the HBOS story was like the "Emperor's new clothes",
with no one prepared to "step out of line" and say what was going
wrong.
Moore was made redundant following a restructuring.
Michael Bolton, another former HBOS executive, told BBC Radio 4:
"Any bank chief executive pre-August 2007 that turned round to its
shareholders and said profits and growth are now no longer the most
important, it is now a more balanced approach - how many of those
chief executives would have still been in their job with that sort
of strategy?"
Being the bearer of bad tidings, such as risks to a business, is
not enjoyable. If the business wishes to improve the bottom line
through an e-delivery solution, for example, there is usually
trepidation when seeking security sign-off. Such an environment is
not sustainable; neither is one in which, as Moore put it, people
"fear of stepping out of line with the rest of the lemmings who
were busy organising themselves to run over the edge of the
cliff".
Managing risk involves a number of options, and these go beyond
simply rejecting the risk. The adage of designing security into a
solution means that the bolt-on sign-off is avoided, as is the
confrontation between who has the most senior management support.
Controls exist to reduce risks to an acceptable level, but by
working collaboratively this not only becomes viable but also
produces solutions that improve the business and are secure and
cost-effective.
Ultimately, changing the perception of security value is key.
Although security professionals understand the value, this view is
not often shared with the business. Precedent is a tremendous
method in demonstrating value, as is being able to quantify the
ROI, but it relies on someone communicating value effectively and
bridging the gap between technologists and the business.
Read more expert advice from the
Computer Weekly Think Tank >>