Risk and control

The most important thing of all when it comes to our company networks and data is to be in control. This is also the most difficult objective to accomplish. In fact, just defining what we mean by “control” is hard enough although I’ll have a go by saying I believe that we are in a good state of control when there are consistent processes being consistently followed throughout the organisation.

But to what lengths do we need to go to in order to accomplish this? I recall the processes followed at one business I visited in India. No employee could take into the building any personal items apart from the clothes they were wearing. Desktops were locked down to the nth degree. No Internet connectivity. All activities were closely monitored and audit logs continually checked. That’s all fair and good but it’s not exactly an environment condusive to innovation. But then again it wasn’t meant to be.

Take the organisation I work for now. It encourages innovation, wants individuals to have ideas and research new ways of doing things. To facilitate that we have to open up to the outside world and provide opportunities to experiment with all matter of new resources and technologies. If there’s one challenge above all others in my job, it’s trying to define where the balance is between retaining control and letting go whilst still adequately mitigating risks.

The level of risk acceptance will vary from business to business and is dependant upon all measure of variables: value of the data, attitude to risk, regulatory environment and so on. If, for example, your business has an online growth strategy then you, as security officer, had better be prepared to support it and find ways to enable it to happen through your presently over-restrictive policy.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

As business priorities have changed and value and innovation is now created through collaboration and partnership it's not surprising that our organisation's networks have become more like stainless colanders to facilitate new ways of working. A move away from just thinking about IT infrastructure security and a more intelligent and granular way of valuing our business processes is needed. Our networks have to become soft on the outside, with chewy and hard bits in the centre - a bit like a Topic Chocolate Bar ;-)