How can security play a central role in enabling business
growth?
The business case for information security has finally been
recognised,writes Simone Seth, senior research
consultant at theInformation Security
Forum.
Rather than being viewed as an unwanted necessity and expense,
information security is now seen as a valuable contributor for
protecting and managing brand image. It is also critical for
satisfying regulatory compliance requirements. As a result, savvy
business leaders are leveraging information security to distinguish
themselves from competitors.
Organisations need to address two aspects of security spend -
baseline investments and risk-based investments. Over the past
three decades, organisations have become adept at making baseline
investments needed to safeguard enterprise operations from known
threats and vulnerabilities. This typically includes investment in
firewalls, anti-virus and intrusion detection systems.
The opportunity to make risk-based investments - that is,
security investment targeted to address business operations that
are high risk and possibly high return - continues to pose a
challenge. New security products, coupled with open architectures,
allow organisations to invest in new classes of applications and
business processes. Business models are constantly changing and the
security function needs to be agile, to enable and facilitate the
accomplishment of business goals.
Security investment should be targeted towards managing areas of
high business risk. However, the success of a risk-based security
investment strategy is predicated on a clear understanding of the
organisation's risk appetite and risk profile; yet business leaders
and security practitioners often lament the difficulty in
understanding and managing risk.
Security leaders need to create the means for business
objectives to be realised in a way that does not compromise
baseline security safeguards already in place. They need to
evaluate new technologies and refine processes to ensure
interoperability with the existing security model, while achieving
new business objectives. This is certainly not a trivial endeavour.
However, if strong communication links are established between
business leaders and IT and security professionals, and a shared
vision that drives success rather than adopting a blanket risk
avoidance approach is adopted, security can serve as an enabler for
business.
Read more expert advice from the Computer Weekly Think Tank
>>