By Hylton Stewart
Issues caused by the traditional approach to Security
In the last blog post, I covered some of the reasons why Information Security has traditionally been perceived with negative connotations within organisations. In this blog post I’ll highlight some of the negative consequences this has produced for organisations and therefore, why change is vital.
The traditional attitude and approach to Information Security within organisations has generally led to a disconnect between what the organisation is trying to achieve, and what InfoSec is trying to protect. This is made worse by a lack of understanding on both sides as to what the other is trying to achieve and how it is relevant to all within the organisation, and an inability to communicate on a common level.
The fact that most employees within organisations feel security is just there to complicate their job functions and stop them using systems that will improve their productivity, has led to continual tensions. Security is constantly trying to lock down and protect the cloud services and apps that employees use, while the employees are, at best, ignoring the imposed security guidelines and at worst, actively seeking to circumvent them. This leads to increased exposure of the organisation to risks such as data breaches and ransomware as insecure and unknown services are used.
Perhaps the worst result of this perceived negative connotation to anything security related, is that employees at all levels of the organisation (including senior management) will switch off and ignore anything that they perceive to be security related, leaving the organisation unable to protect itself from the many and varied legitimate threats present in today’s business environment.
The current conflict and lack of understanding on both sides of the organisation/ Information Security divide can rapidly lead to an organisation that is exposed to increased risks, which will ultimately affect the ability of the business to function and meet its objectives. This means that the current state of affairs will end up hurting the organisation in the long run far more anyway, even though the perception is that security is hurting the business in the short term.
Why Information Security needs to change
This disconnect between Information Security and the organisation is leading to an ever-widening gap that not only increases the organisation’s risk of serious financial and reputational damage, but also actually hinders the organisation from achieving its goals and objectives. If implemented and handled correctly throughout the organisation, with common understanding and communication, good Information Security is a business enabler and a great competitive advantage.
The threat landscape that modern organisations operate in is changing and evolving at a rapid pace, with new and more dangerous risks threatening all organisations every year. If Information Security and businesses cannot learn to communicate on a common level and work together, the organisation will face much greater risks.
How Information Security needs to change
I mentioned in my last blog post that Information Security needs to mature and join the C-Suite in organisations. This has less to do with the technical aspects of security, and much more to do with how the Information Security function within the organisation understands the business as a whole, including its objectives, way of operating, and environment (both internal and external).
There are two main objectives that Information Security has to meet in order to start becoming a partner to the organisation. Firstly, InfoSec professionals have to develop the ability to understand the organisation and its business objectives and risks. This will allow them to make recommendations that will actually support the organisation in achieving its goals in a secure manner, while protecting the organisation from harm.
Secondly, InfoSec professionals need to be able to communicate with senior management in a way that makes business sense to executives, as well as with all employees. This means leaving out the technical jargon and being able to articulate how the security recommendations align with and support the organisations goals.
Organisations will then need to set aside their mistrust of InfoSec professionals, and work with them to protect the organisation together.
In the rest of this series I will look at some of the changes that need to take place, mainly from the InfoSec side, but also from the side of organisations and senior management, for both Cyber Security and Information Security.
If you have any questions about the information security of your business, do get in touch with one of the experts at the Conosco Security Division: securitydivision@conosco.com
