Information security in global organisations presents special challenges, but the basic approach should be the same for all organisations, said experts speaking at the 360°IT event in London
"When you are supporting applications across 200 sites around the world, security needs to be effective and pragmatic," said John Harris, vice-president application services, commercial IT at GlaxoSmithKline.
In the pharmaceutical world, companies are typically sharing information with universities and healthcare organisations, so the old IT security model of protecting the perimeter is no longer valid, he said.
According to Harris, the key to successful IT security, particularly in global organisations, is identifying the truly crucial information assets, where they are stored, and putting appropriate controls around that data.
Understanding the business
But different things will be critical for different businesses, which is why it is vital for IT security professionals to have a good understanding of their own business, said John Colley, managing director, EMEA, (ISC)2.
Colley, a former head of risk at Barclays, said only by understanding the business, can IT professionals assess the risk attached to specific information assets.
This is the building block for establishing the most appropriate framework for governance and risk, and choosing the right security controls to attach to each piece of data, he said.
"The important thing is that security must be integrated with the business, not added afterwards. Security professionals must work with the business in deciding what is most important to protect," said Colley.
This approach is also useful in helping security professionals work with the business to introduce new technologies in a safe way because they will understand the business case behind it, said Harris and Colley.
"Things like wireless networking, cloud computing and smartphones could be very good for a business, but if security professionals do not understand the business benefits, they will typically say they are too difficult to secure," said Colley.
That attitude needs to change, he said, and instead security professionals should find ways to implement technologies for which there is a clear business benefit.
The role of security professionals needs to evolve so that they become leaders of informed discussion on the risks attached to new technologies, said Harris.
"Security professionals must ensure the right level of understanding and help the businesses implement new technologies in the smartest way to mitigate the risk while getting the most value," he said.
User training and education is another key element of successful IT security across global organisations, said Harris and Colley.
"Policies alone are not enough. People forget or do not really know how to apply them in their day-to-day jobs," said Harris.
Security professionals need to realise that the best way of improving user behaviour is to make it easy to do the right thing and to continually reinforce good behaviour with automated reminders, he said.
"People will generally adhere to policies if they understand the reasons behind them," said Colley.
The HMRC loss of millions of records on two CDs points more to a failure of policy than a failure of the individuals responsible, he said.
"The HMRC policy called for all data to be encrypted, but to the people responsible for the loss of data, that could have meant simply protecting the data with a password," said Colley.
Businesses need to be absolutely clear in their communication about security, especially as user education can be critical to deploying things like iPhones and iPads, said Harris.
"This is a hot topic, but in 90% of cases security professionals are working with their businesses to find ways of using these devices in a secure way," he said.
It is good to see security professionals beginning to respond in a different way, said Harris, but that is only possible when they understand their businesses and exactly what data assets are the "crown jewels".