Maksim Kabakou - Fotolia
In the early 1990s, the company I worked for invited me to transfer from IT and networks to audit. I joined a small group charged with auditing the company’s networked computer systems in Europe, including company internal trans-border connections, connections to third-party systems and client connections.
What was ingrained into me during my audit training was the need to understand the business of the business unit to be audited and the exposures – not just to that business unit, but to the business as a whole.
That necessity to understand business exposure and using that knowledge to inform the audit process has stood me in good stead ever since.
There is, of course, a subtle difference between exposure and risk. A risk can be very small but could, if the worst came to the worst, lead to a massive exposure to a business. So just looking at confidentiality, integrity and availability is, these days, not sufficient, and indeed never has been in reality.
The mid-1990s saw me as a self-employed IT auditor, and in the late 1990s I moved over to information security consulting. In practising my craft since the early 1990s, I have come to notice a number of information security-related common strands that can affect a company’s business risk and exposure.
Security should not take a back seat
My first observation is that while many organisations do have a security group, that group deals as a generality only with physical security, the business opting to throw IT-related security over the fence to the IT department to sort out. Often, IT security is a role assigned to a member of the support team, and expediency in sorting out IT issues often means security taking a back seat and so gives rise to security being an afterthought in many projects.
Given that in many companies IT security is handled by the IT group or department, my second observation is that there is a general lack of knowledge or understanding within IT of their company’s business from the viewpoint of business risk and exposure. This leads to budgets and project funding requests often being savaged because business risk and exposure is not being articulated well, or articulated at all.
My third observation is that company boards generally have direct (business) audit representation, but IT representation is often done by a director looking after a number of portfolios, with direct IT representation only occurring in larger enterprises and IT security, if it is represented at all, being lumped in with IT.
What can the security professional, or the person in an IT department charged with infosec, do to reduce a company’s business risk and exposure? A good question. But it doesn’t start there.
Gain allies and change mindsets
First, security – and IT security in particular – has to be a board-level issue that is on every board meeting’s agenda. This is possibly a cultural issue within a company, but it is one that must be tackled and won.
Peter Wenham, BCS
The person charged with IT infosec is going to have to work to gain allies and change mindsets. They are going to need to work to ensure they are involved early with projects, and ideally from inception – even simple ones such as system upgrades, adding new connections, and so on.
They are going to have to talk to and work with the business including audit to gain a good understanding of the business and the risks and exposures as seen by business – for example reputation, loss of client confidence, loss of intellectual property, inability to communicate externally for an extended period, false news on social media and many others.
This knowledge combined with a very good understanding of IT and how it supports the company, together with keeping abreast of external security developments, should enable that security professional to not just communicate effectively with senior managers and the board, but also ensure that projects and expenditure on information security are meaningful and justified.