Balance the right level of security with the needs of your end-users

The balance of security and risk is an issue that affects every aspect of our day-to-day lives. To be absolutely secure means a...

The balance of security and risk is an issue that affects every aspect of our day-to-day lives. To be absolutely secure means a shut-down, whether that is road travel, allowing people to swim in the sea, having an operation or developing an IT system.

However, in practice absolute security cannot be adhered to. We cannot conceive of society without the car and forbidding swimming in the sea is unenforceable.

A similar tension exists between IT departments and the business. The ultimate technologist may insist that the only way they can ensure full security is to shut systems down; if they are not working, no one can do any damage. However, business people want systems to have as much access as possible to encourage customers and suppliers.

IT directors face four security risks. The first is that of their existing operations failing as a result of anything from fire to data loss. One thing is for certain, the IT director truly is responsible and carries that risk.

The second risk is external attack, about which most IT directors put the best available safeguards in place. But as a castle without a gate in its walls is more secure than one with a gate, there is also the disadvantage that legitimate people cannot get in and no one can get out.

A smart castle designer discusses the risk of various levels of security to share that risk. So it ought to be with IT directors and their users: they must be aware of varying levels of security and balance these against the need to be able to operate commercially.

The third security risk is from within: a percentage of security breaches can be traced back to employees. Here the IT director, the risk manager and the auditor must collaborate to put adequate safeguards in place to reduce wrongdoing and facilitate an acceptable working environment.

Lastly the IT director faces risks when developing a new system. There must be a dialogue between the user and the provider. If there is an urgent need for a system that will gain a market advantage, this may go live without the usual stringent testing - as long as the user buys into that risk. A balance must be struck between the commercial advantage of getting there first, against a risk of the system revealing flaws in use.

IT directors should not stand alone, but this will happen if you do not do everything possible to make sure risk levels are understood and shared.

Robin Laidlaw is chairman of security firm Iconium

Read more on IT risk management