The rapid rate of technology change is emerging as one of the biggest threats to information security. That was the key message that emerged from Infosecurity 2008 last month.
Government research has shown that companies implementing newer technologies such as instant messaging, voice over IP, wireless networks and remote access are twice as likely to suffer a security breach.
Bruce Schneier, chief technology officer at BT Counterpane, told the conference in London that because technology changes processes rapidly, there is not enough time to develop effective responses to specific threats.
The systems organisations are using to ensure information security have themselves become extremely complicated.
The result is that many organisations are not effectively mitigating their security risks despite knowing more about the risks and spending more on security. Others have simply lost sight of their security objectives because of the sheer complexity of the technology involved.
In contrast to security suppliers that continue to add to the layers of complexity by touting silver bullets in the form of encryption, consolidation, centralisation, and de-perimeterisation, researchers and advisors are saying that it is time for IT departments to get back to basics.
According to Geoff Harris, president of the UK chapter of the international Information Systems Security Association (ISSA), many UK organisations still do not have basic security controls in place.
Benjamin Jun, vice-president of technology at US-based Cryptography Research, said organisations generally have further to go to meet security baseline levels for people, process and technology.
"Much of this 'return to baseline' process involves defining the steps involved in each business activity and finding the technology that maps well to protecting this activity," he said.
This approach is core to a set of directors' guides to managing information risk recently developed by the Information Security Awareness Forum (ISAF), Information Assurance Advisory Council (IAAC) and BT.
The guides advise company directors to establish strong information risk management practices and support their staff by providing clear governance after covering the basics of determining the risks faced by the organisation and the level of risk the board will tolerate.
Although the government's latest biennial Information Security Breaches survey shows organisations are more aware of security and are spending more on security systems, security advisors say there is still a lot of basic work to be done. More than half (52%) of UK companies, for example, still have no formal security risk assessment processes.
Now is the time for all UK organisations to carry out risk assessments, set information management polices and establish governance processes to enforce them.
Organisations need to know what their information assets are, where they are located, their real value to the company and how exposed they are to leaks.
"Information security has to be managed because the alternative is a mess," said Chris Potter of PriceWaterhouseCoopers, who led the 2008 government security breaches survey.
The survey report advises organisations to understand the security threats they face and use risk assessment to target security investment where it will deliver greatest benefit.
There is a growing consensus among advisors that good security comes down to a better understanding of the risks before meaningful controls of people, process and technology can be applied.
The only solution to complexity, said Schneier, was for organisations to take on board information from non-partisan sources such as academics, rather than from suppliers with vested interests in talking up their products.
Familiarity with the true nature and scope of the threats is key to organisations being able to deal with information security intelligently and effectively without getting bogged down in the complexity of information technology and technological security controls.