Where possible, security measures should be designed in to a project from the outset – and not added on – to underpin good business practice and meet compliance/regulatory requirements, writes Peter Wenham.
The holistic view must be taken that security must be part of the wetware (humans) and the hardware (ICT). This recognises that humans are involved with writing code (software, applications) and configuring any hardware and software.
Balancing the business need for networks and applications that are agile and support the business against the need for security and regulatory compliance comes from understanding the threats, risk and impacts to a business and setting a risk appetite appropriate to the business.
For example, a company that develops its own products would be interested in protecting its intellectual property, but would not be quite as concerned about its public image as a finance company. A company that develops its own software would be more interested in ensuring its staff could write code in a secure fashion whereas a company that used off-the-shelf products would be more interested in being able to configure any bought-in application securely.
Where the set risk appetite is too aggressive, when things go wrong, they have the potential to go wrong in a big way.
Make the risk appetite too conservative, then the business may suffer because it is not agile enough in its market place. It is a balancing act and one that comes from a well-founded understanding of business and technology threats and the associated risks to a business.”
Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.