IT security pros must enable business to win support

Business has traditionally tackled the problem of data security by spending money on technology, but a growing number of security experts say this approach is misguided.

Business has traditionally tackled the problem of data security by spending money on technology, but a growing number of security experts say this approach is misguided.

The problem cannot be solved by technology alone because it is not purely technical in nature, says Craig Lunnon of OneSecurity at PricewaterhouseCoopers (PwC).

"Although technical defence is vital, systems are inherently vulnerable to both negligent and malicious acts by people," he says.

"Technical solutions are too frequently being prescribed for people problems," says Lunnon.

The real challenge for IT security professionals today, is learning how to influence people's behaviour, says Mark Murtagh, technical director at content filtering firm Websense.

"Security needs to shift towards being an influencing mechanism," he says.

But how should IT security professionals go about achieving this new approach?

Gaining a good understanding of how the business works, is a good way to start, and then enabling the business to achieve its objectives in a way that is secure, says Murtagh.

IT security professionals can integrate security with the business by being enablers, he says, rather than seeking to impose limits on what people in the business can do.

Seeking to increase the influence of IT security in the John Lewis Partnership, information security co-ordinator Louis Gamon has found secure ways to enable new technologies.

In the past two years, he has found ways to allow access to social networking sites like Facebook and media sharing sites like YouTube by putting in the necessary controls.

"You have to listen to the requirements and expectations of people in the business," he says.

Failure to do this will result in a loss of control, he says, because people tend to find ways to work around obstacles.

Of the 10% of companies that do not allow social networking, 9% believe that employees are still using it, says Dan Hubbard, chief technology officer at Websense

"IT security professionals need to help balance risk and reward by enabling new technologies in a safe, productive way," he says.

By making things happen, IT security professionals can change the business's perception of security, says Hubbard.

Another strategy, Gamon uses to engage the business, is to get feedback from focus groups to find out what they need and what works for them.

But, he says, everyone has to do security awareness refreshers each year to remind them of their security responsibilities and the role they each have to play in keeping data secure.

Alongside social media, cloud computing has attracted the attention of the business because of the obvious benefits of rapid deployment at lower cost.

Rather than pushing back, security professionals need to engage with cloud computing, says Rashmi Tarbatt, chief security architect, EMEA at RSA, the security division of EMC.

Cloud computing not only promises to meet a wide range of business needs, but is also presents an opportunity to improve security, if security teams are involved, she says.

New technologies, like those used in cloud computing, will help organisations mitigate newer risks, and will improve security by enabling tighter controls.

"Virtualisation technology, for example, enables organisations to apply security policies to the data and that travels with the data wherever it goes, which is an improvement on the traditional environment," she says.

Some IT security professionals are starting to look at adopting new technologies to better protect organisations and manage the risk, but some are responding faster than others, says Murtagh.

Adopting new technologies is important because, in the past, information security has been all about infrastructure security, but that is no longer good enough to deal with the new kinds of threats that are emerging, says Hubbard.

Moving to new technologies presents an opportunity for businesses to rationalise their data security systems, consolidate, and improve the level of protection, he says.

By getting the technology right, security professionals can add value to the business and increase interaction with the business.

This will make security a greater part of every business decision as well has help IT security professionals to recruit every member of the organisation to be the first line of defence against data leaks, as recommended by the latest PwC report on security.

What is required, the report suggests, is a new approach in which an investment in understanding and influencing the behaviours of all those concerned is balanced against continued investment in technology.

Read more on IT strategy