Security Zone: defences must return business value

Security must be a primary business requirement with full support from the board, and should be an object that the organisation works with, not around

Do you consider your finances, personal information and standing within the community as something you should protect? Why then do you not hold in such high regard the security of these within your business? Is security an add-on within your business or is it a primary business requirement?

Security starts at conception

Security has to be discussed at the conception of any idea and continue all the way through any decision, with full support and governance from the board.

Failure to take security as a primary business requirement will lead to loss of business value, reputation, revenue and credibility, and responsibility for this failure ends with the board.

Many still do not see IT, never mind security, as a valued cog in the mechanism that delivers business value.

Take one example: in 2006 about 20% of the payment card industry made no effort to address a specific security-related concern - PCI DSS - leading to countless tactical deployments that failed to fit smoothly within an organisation's infrastructure services, affecting security across the business, across all technology.

An immovable object

In this age where threats are all around us, security should be an immovable object that you work with, not around.

PCI DSS is just one of these immovable objects, and if your business stores, processes or transmits payment card data, you are in scope for enhancing security.

Although aware of such enforceable guidelines as PCI DSS, some businesses fail to understand the implications, let alone the extensive requirement, for re-engineering of systems, services, processes and procedures to address "good" security. Adding security at the end can be expensive and will often be a weak compromise.

Initiatives like PCI DSS are becoming commonplace. Marketplace institutes and industry bodies are laying down the law and businesses need to think about security from the very top, down to every nut and bolt that holds the organisation together.

Many decisions on vast aspects of the machinery that drives the business are delegated to individual departments or specific individuals, promoting solutions before considering security.

Without the elements of top-down governance such practices are open to countless security issues. Some do not engage early enough in decisions and allow isolated decisions to flourish without inviting all parties for input.

Common mistakes

PCI DSS aside, failure to address or apply security often manifests itself as ill-formed decisions.

These decisions can include failing to view a system as a business function failing to communicate as a single entity, with a single viewpoint and a single vision and considering a system that fulfils the department's requirements as "good-to-go", missing the point that to be of true business value it should meet the business's requirements (for the department) and not just the department's requirements.

When news of the theft of millions of card details can be flashed across the world's TVs, some still focus on reducing cost as their primary goal without fully considering other factors, which could cost the company dearly.

All decisions need to return business value and not leave a business vulnerable.

● David Gregg is a technical and security consultant, certified network and solution architect, and project manager at The Logic Group

Read more on IT risk management