Does your business have the stomach for risk?

By Jason Krupp | Jun 5, 2008

0 comments

Facebook

LinkedIn

Delicious

Digg

Email

Print

Thumbnail: 

In world where hackers, crackers, malware and viruses are increasingly climbing their way up the table of business threats, companies today are desperately searching for strategies to safeguard their organizations from the rising threat of critical data loss.

After the keynotes at the Info-Security Conference, five security experts tackled this difficult topic in a panel discussion.

Appetite for destruction
The panel agreed that companies must realize all organizations expose themselves to security risks everyday, and there's no way to totally secure their critical data while continuing to operate their businesses.

The key is to identify which risks were acceptable, and which aren't.

"We in IT are here to safeguard business information, but in the end it is all about the business's appetite for risk and how willing they are to be exposed," said Paul Siy, associate director and head of IT infrastructure for Macquarie in Asia. "Only when you know that can you implement appropriate security measures."

This sentiment was shared by John McCormack, senior VP of product development for Websense, who said risk appetite depends on the type of business and how important data security is to the enterprise.

"'Risk appetite' means something different to each company," said McCormack. "If you have high regulatory control, you're going to want to start there. There are other companies whose intellectual property is their company, so that's their focus."

The panel further stressed that businesses must also realize that even securing data within carefully defined risk areas is an almost impossible task.

"Unless you have unlimited budget, you have to classify your information and focus on the most critical data," noted Lawrence Lo, regional chief security office for AIG.

"That way you can decide on what needs encryption or additional security measures without putting too many processes in place that will interfere with the running of the business."

Power to the people
Another key element identified by the panel is the need to factor the human element into the equation.

"The great majority of data leakage comes from employees not knowing what to do, so they end up not doing the right thing," said Pierre Noel, a risk management and information security specialist for IBM.

Noel stressed the need for companies to articulate their information security procedures in a comprehensive policy document, and reinforce this with user education to ensure that employees are familiar and comfortable with what needs to be protected and how.

However Thomas Parenty, managing director of Parenty Consulting, pointed out that policy and education are not a magic bullet, and designing the security architecture to optimize compliance is equally as important.

"Every time a user needs to make a security-relevant decision it's a potential vulnerability, either because they don't know what the right decision is, or they maliciously make the wrong decision," sad Parenty.

"It is our responsibility in designing these systems to minimize the number of security-relevant decisions users have to make, then make it easy for them to do the right thing."

Preparing for the worst
Ultimately the panel advised delegates to prepare for the worst, as data breaches are a matter of "when", not "if."

"It's important that everyone knows what to do if you lose data--what you need to do in the next three minutes, not the next three days," said Lo.

This sentiment was shared by Noel, who advises his client to develop a clear and rapid escalation mechanism.

"Test this once a year--don't rely on what's written," he said. "Learn about your weaknesses and adjust so that you will be ready when the problem does arise."

0 comments

Facebook

LinkedIn

Delicious

Digg

Email

Print