The right balance between user responsibility and technological controls is key to effective IT security, says Paul Jay, head of information security at the Camelot Group, operator of the national lottery.
Security is not purely the responsibility of IT users or of IT security control systems, as neither can ensure data protection on their own. Both need executive-level understanding and support, he told Computer Weekly.
"We are a relatively small company, but have massive exposure in the internet because of all the gaming services we offer, so everyone within the company needs to have a high level of responsibility," he said.
According to Jay, security is everyone's responsibility and it is impossible to deliver an effective security strategy unless everyone working in an organisation understands their security obligations, driven from the top by company executives.
"The technological controls have to be backed up by policies, procedures and performance measures to provide a comprehensive, layered defence system, but those controls must also be intuitive and transparent, he said.
A good way to engage employees is to explain what the risks are, said Jay, and what the consequences would be if those risks were not managed.
Making people aware of their security obligations, such as the correct handling of personal or sensitive data, is also not something that can be done once at induction, said Jay.
"Camelot Group does general security awareness training at induction, but we also have rolling programmes that are updated continually to keep employees up-to-date with things like the payment card industry data security standard (PCI DSS)," he said.
Jay is to be one of the panellists to debate whether it is all the user's fault when information security goes wrong at Infosecurity Europe 2010 at Earls Court in London from 27 to 29 April.
Photo: Rex Features