The business value of balancing openness with security to manage risk

The risks to businesses of using social media is a hot topic, but it is indicative of a much broader challenge that is facing not only business, but also government, publishers and regulators, in how to balance openness and collaboration with security and confidentiality.

The risks to businesses of using social media is a hot topic, but it is indicative of a much broader challenge that is facing not only business, but also government, publishers and regulators, in how to balance openness and collaboration with security and confidentiality.

The Wikileaks controversy has highlighted that managing the needs of the state, the business organisation and the individual is a highly complex balancing act, but as the value of data continues to grow exponentially, how do we establish and maintain a balance between the individual's rights to information and the need for political and corporate confidentiality?


The power of social media



These are not new issues, says Edmund Burton chairman of the Information Assurance Advisory Council (IAAC), but they are much more immediate and important in the light of the power of social media, where anyone and everyone is able to publish information around the world in an instant.

The problem, he says, is that corporate policy, legislation and regulation have lagged technological innovation. The point is well illustrated by the furore over traditional press being gagged by super-injunctions while social media sites appear to flout such orders with impunity.

In the world of business, he says, this means that the education around the risks involved in sharing information needs to be addressed at all levels.


Social media policy



A growing number of information security professionals are beginning to emphasise the importance of regular security training and awareness programmes as an effective way of keeping the issues uppermost in people's minds.

It is also important, says Burton, to identify the principles that those responsible for corporate policy, and indeed regulation and legislation need to bear in mind.

Never before has the threat been as great, says John Suffolk, former government chief information officer and senior information risk owner, with professional malware suppliers now even offering guarantees on their products in the form of service level agreements (SLAs), presenting a serious threat to data protection.

In the light of unprecedented threat, does government have a role to play? Should government step in to bring all suppliers and corporates in line with tough data protection legislation?

Restrictive legislation should be used only as a last resort, says Suffolk. Government, he says, should instead seek to inform citizens of the risks in a non-emotive way and collaborate with technology organisations to develop standards, frameworks and tools aimed at enabling citizens to protect themselves.


Protecting personal customer data



Citizens, in turn, have a role to play as consumers says Peter Erceg, director of IT security and risk management at mobile operator Everything Everywhere. By demanding that organisations protect their personal data, businesses will more easily come to understand and appreciate the long-term business value of data protection rather than viewing it only in terms of compliance.

"Businesses should move away from compliance to a marketing approach in which the company promotes itself on the basis of what it is doing to safeguard the personal information of its customers," he says, so investment in data security is driven by business reality, not compliance.

The publication of thousands of US diplomatic cables by Wikileaks is a prime example of what is now commonly referred to as the insider threat, where someone with legitimate access to information is able to leak information, says Suffolk.

"The reality is that everyone in an organisation, public or private, has a role in ensuring defence in depth, and for this reason, user monitoring has got to be in frame," he said.


Building employee trust



Although technological security controls are important, they are not enough on their own.

Mohan Koo, managing director of security monitoring firm Dtex Systems, says an organisation can have all the controls in the world, but if a company does not have the trust of its employees, the risk that they will act against the business is much greater.

"Companies should not overlook the importance of trust and loyalty, and should make employees aware that they are responsible for sensitive personal data, explain why it is important to keep that data secure, educate them on how to do it, and reward them for doing so," he said.

This means organisations have to understand fully what makes data sensitive, says Erceg, so they can identify exactly what information they want to protect and why.


Understanding and monitoring potential security risks



However, says Koo, if things go wrong, organisations need to have monitoring systems in place so they can know the instant data goes missing and can look at why it was possible so that they can eliminate that vulnerability.

"Outsiders are continually targeting insiders within IT groups, security, HR and legal departments they have identified as having some vulnerability that can be exploited," he said. This is yet another reason why building trust with employees and other third parties is key.

Third parties are especially important as organisations become increasingly reliant on global supply chains, says Suffolk. Where an organisation relies on kit that comes from all over the world, defences need to be structured accordingly.

The more employees and business partners are educated and well-informed about the threats, the more organisations can reduce the risk, says Koo, and managing supply chains is as important as managing internal processes.

Risk is at the lowest, he says, in organisations where boards understand the problem and lead by example, rather than those organisations that wait for a crisis and then tighten the thumbscrews on employees, which increases risk by failing to manage the process.


Security in business terms



Another element of the problem, says Erceg, is that security professionals are not good at expressing risk in terms that business people understand. "This is a common failing across the information security industry," he says.

According to Erceg, many information security professionals still need to understand the language and drivers of the business so they can use those to express the risk.

A model that has worked well across the public and private sectors is the appointment of an information management champion, but Burton says the issue of leadership is a complex one, and boards need to ask themselves what implications the openness of the information age has for their style of leadership.

All stakeholders need to come together to share ideas on what has been learned in the past 35 years to engender fresh thinking, says Suffolk, because in the face of new technologies that enable the flow of information, stakeholders need to do something different.

This new thinking, says Burton, should establish information as a critical business asset that must be protected accordingly.



Action plan for balancing openness and security

  • Boards must examine what the new world of openness means, in terms of opportunities and risks, to come up with a plan that deals with the human and technological factors.
  • Governments must engage with industry to establish standards, and follow through on those standards, thereby leading by example.
  • Businesses must recognise their dependence on global supply chains and structure their information management processes accordingly.
  • Companies need to see business opportunity as a key reason for managing information well, rather than compliance.
  • Information security professionals must learn the language of business and ensure that the language they use resonates with all stakeholders.
  • Organisations in both the public and private sector must seek to establish a community of informed users, where everyone understands the threats and acts accordingly.








Read more on IT for government and public sector