« The 10 deadly sins of information security management | Main | Infosec Europe Hall of Fame »

Risk and control

The most important thing of all when it comes to our company networks and data is to be in control. This is also the most difficult objective to accomplish. In fact, just defining what we mean by "control" is hard enough although I'll have a go by saying I believe that we are in a good state of control when there are consistent processes being consistently followed throughout the organisation.

But to what lengths do we need to go to in order to accomplish this? I recall the processes followed at one business I visited in India. No employee could take into the building any personal items apart from the clothes they were wearing. Desktops were locked down to the nth degree. No Internet connectivity. All activities were closely monitored and audit logs continually checked. That's all fair and good but it's not exactly an environment condusive to innovation. But then again it wasn't meant to be.

Take the organisation I work for now. It encourages innovation, wants individuals to have ideas and research new ways of doing things. To facilitate that we have to open up to the outside world and provide opportunities to experiment with all matter of new resources and technologies. If there's one challenge above all others in my job, it's trying to define where the balance is between retaining control and letting go whilst still adequately mitigating risks.

The level of risk acceptance will vary from business to business and is dependant upon all measure of variables: value of the data, attitude to risk, regulatory environment and so on. If, for example, your business has an online growth strategy then you, as security officer, had better be prepared to support it and find ways to enable it to happen through your presently over-restrictive policy.

Tags:

Posted by Stuart King on November 1, 2007 6:00 AM
| View blog reactions

TrackBack

TrackBack URL for this entry:
http://www.computerweekly.com/cgi-bin/mt/mt-tb.cgi/14013

Comments (1)

Duncan:

As business priorities have changed and value and innovation is now created through collaboration and partnership it's not surprising that our organisation's networks have become more like stainless colanders to facilitate new ways of working.

A move away from just thinking about IT infrastructure security and a more intelligent and granular way of valuing our business processes is needed. Our networks have to become soft on the outside, with chewy and hard bits in the centre - a bit like a Topic Chocolate Bar ;-)

Posted by Duncan | November 1, 2007 9:26 PM

Posted on November 1, 2007 21:26

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search


About

This page contains a single entry from the blog posted on November 1, 2007 6:00 AM.

The previous post in this blog was The 10 deadly sins of information security management.

The next post in this blog is Infosec Europe Hall of Fame.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Powered by
Movable Type Enterprise 4.1-en