With the bank failures of recent weeks, more pending redundancies and a continuation of the downward slide, should we be concerned about lax security? Is someone minding the store while all this is going on or should we be doing something more when the banks are going bust?
Winter has arrived unseasonably early this year challenging market conditions have brought a freezing and reassessment of corporate budgets, writes Peter Drabwell CISSP, European advisory board member at (ISC)2. Organisational departments face increasing pressure to justify their value to the business and IT Security is not immune to this approach.
The value of business assets, (for example, intellectual property, client data and service availability, managed in-house or via third parties) does not diminish during a downturn. During such time, there is an increased emphasis on the identification of key business assets and the mapping of a formal, consistent, and proportionate security strategy. This is an opportunity to demonstrate the value of the security practice by adopting a standard risk assessment methodology and ensuring that business assets and effective controls are correctly aligned.
Threats to business assets typically increase during a downturn. Common sources include disgruntled/disillusioned employees through careless or deliberate activity, and dedicated employees with an increased temptation to circumnavigate process controls to win extra business in a dislocated market. While the latter may be performed with the greater good in mind, (often be an unforeseen consequence of staff incentive schemes), such control short cuts expose the business to unnecessarily high levels of risk. Extra vigilance, awareness, enhanced employee communication and inter-team collaboration can help mitigate risk in this area.
Organisations also seek to diversify service offerings to win new business and guard against overdependence on existing activities. Risk assessment challenges reflect cross-border data requirements, operating standards in emerging markets and the evaluation of new technologies (for example VoIP, virtualisation, cloud computing), some of which are relatively unproven from a security perspective. The creation of a security solutions catalogue, including corporate approved service offerings, costs and key points of contact can greatly enhance the roll-out of new services. Data assets are not diminished during a downturn. IT security should play a fundamental role in risk assessing the estate, deploying proportionate controls and monitoring their effectiveness. It should also prepare organisations to take full advantage of the future opportunities that will inevitably arise when the markets turn once again.