IT security

Sony, SEGA, the CIA, FBI, US Serious Organised Crimes Organisation (SOCA), Marks & Spencer (Epsilon) and Citigroup: a diverse group of organisations who have all suffered serious IT security breaches in 2011. Managers across the globe are wondering whether they will be the hackers’ next target.

h2index has just completed research into IT security for one of the world’s largest pharmaceutical companies. The participants came from a wide range of large global companies including consumer goods, financial services, chemicals, insurance and telecommunications. The brief explicitly called for contributions from companies that are being innovative in their approach to security.

Phil Hopley, partner, h2index: “We never have any difficulty finding the right participants for our studies, but nonetheless we were surprised that so many companies that wanted to take part and by the level of participants’ seniority. As well as directors of information security, a number of CIOs insisted on taking part. It’s obviously a hot topic.”

The IT security topics covered by the study included:

  • Working with external business partners
  • Mergers & acquisitions or divestments
  • Impact of new technology on security
  • Building a security culture

The participants’ views were remarkably consistent. Data breaches are a fact of life if companies are going to collaborate, innovate and use the internet. Technology alone cannot maintain security and the way forward is to design business processes to manage the risk and check that they are properly implemented. There was a strong belief that employees at every level had to be aware of the IT security issues and follow the processes to manage them.

Everyone agreed that the world was changing rapidly, with several new business drivers forcing security practices to change:

  • Not only do companies use more partners, but they also compete to work with the best
  • Consumerisation of devices and home working
  • Businesses need everything done quickly
  • Increasingly companies have direct contact with consumers where they used to work via intermediaries

These business pressures affect every part of an organisation and, combined with the risk of data breaches, mean that security has shot up the agenda on operating committees.

Securely managing an ever growing number of business partners was an important issue for nearly every participant, with one company reporting an astonishing ten times as many business partners as employees. Again good business processes were seen to be the best route to security, with a “trust and verify” approach used to generate a spirit of openness where partners felt able to report data breaches responsibly without fearing they would inevitably lose the contract.

Overall IT managers felt that they had moved from guarding to guiding. As guards they used to prevent users from doing many things on security grounds. By providing the technology policies and processes, they now guide the business to understand the risks and decide accordingly.

Phil: “IT security used to be seen as the responsibility of small team working in relative isolation: now everyone is responsible wherever they are working. A key challenge for IT managers is helping the business to understand and accept this.”