The right security for the right reasons is a key theme at Infosecurity Europe 2010 in London as organisations seek strategic investments to exit the recession.
Security professionals typically add unnecessary complexity by failing to understand which threats and which assets they should be on protecting, say several speakers at the event.
Most organisations are struggling to manage complex security systems that have developed through the accumulation of disparate point solutions from multiple suppliers in response to each new threat.
Many businesses are looking for a simpler, integrated security infrastructure, says Andrew Kellet, senior analyst at Ovum. But they need to identify exactly what information assets they have and what level of protection is needed for each before restructuring and committing to new investments.
But organisations often fail to secure data because they do not understand which threats they should be seeking to mitigate, says professor John Walker of Nottingham Trent University.
Information security professionals need to understand the vulnerabilities in any new technologies the business is considering, to ensure they choose the right security controls, he says.
The right security controls are not enough on their own, but need to be complemented by user responsibility, says Paul Jay, head of information security at the Camelot Group.
It is impossible to deliver an effective security strategy unless everyone working in an organisation understands their security obligations, he says.
Those obligations are typically detailed in security policies and procedures, which will be increasingly important, says Stewart Room, partner at law firm Field Fisher Waterhouse.
Not only will such documentation help to ensure users follow best practice, but it will also help to keep information security professionals out of court if things go wrong.
Businesses need to understand that having top quality paperwork rules in place is sufficient in most cases to avoid punitive action for any organisation that suffers a data breach.
Most cases focus on paperwork rather than operations because it is much easier for a regulator to work this way, says Room.
"In effect, this means in most cases that if the paperwork passes the legal compliance test, you can be excused operational failures," he says.
According to these experts, information security experts should be aiming in 2010 to roll out the right security to protect the right assets backed by the right policy documentation.
This approach will deliver enough security for the most valuable information assets without duplication or unnecessary risks of exposure to cyber threats or legal action, they say.
- Infosecurity Europe is on 27 to 29 April at Earls Court, London.