Maksim Kabakou - Fotolia

Security Think Tank: Governance framework key to best security at lowest cost

How can organisations maintain usability and keep support costs low without compromising on security?

Responsibility for maintaining strong protection while supporting the technology and working practices demanded by users – at an acceptable cost – starts with an organisation’s governing body.

This body, with the chief information security officer (CISO) as a direct report, should treat information security as a critical business issue and set clear direction for information security and risk management in a strong information security governance framework, aligned with corporate objectives.

Using the framework, IT and information security must provide the business with technology and solutions that meet security demands and user requirements, in support of corporate objectives.

Mature information security functions work with IT and the business, acting as enablers rather than inhibitors. Simultaneously, the business accepts that some technologies and practices are simply too insecure to adopt (based on the organisation’s risk appetite) and instead work with information security to find alternatives.

Information security should never underestimate the ingenuity of business users if these users can’t get what they need, in pursuit of corporate objectives; they will find a workaround – which could be insecure.

As every CISO will know, keeping down the costs of providing information security support is challenging. A benchmarking exercise can help an organisation understand its current level of security and where the gaps are.

This analysis can then be used by the CISO to determine where funding is adequate, too low or too high, the latter with the potential to divert funding.

Another option is to cross-charge business functions for providing specific services (often referred to as IT chargeback). This helps identify the costs associated with providing IT support (including information security), but it can be time-consuming and interpreted as an inhibitor rather than enabler.

Again, a workaround may be pursued by some business users to avoid any chargeback – but, of course, this means that risks will not have been assessed and are therefore not managed.

This was last published in March 2017

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.






  • How do I size a UPS unit?

    Your data center UPS sizing needs are dependent on a variety of factors. Develop configurations and determine the estimated UPS ...

  • How to enhance FTP server security

    If you still use FTP servers in your organization, use IP address whitelists, login restrictions and data encryption -- and just ...

  • 3 ways to approach cloud bursting

    With different cloud bursting techniques and tools from Amazon, Zerto, VMware and Oracle, admins can bolster cloud connections ...