Does Information Security matter?
Based on a recent article in the SC Magazine apparently it does matter to
the head of IT. Whether one is aware of the security posture within the
enterprise or not. As soon as the data security has been compromised and
the news is on the front page, someone in the IT department seems to
always get the axe.
But should the IT department be held responsible for overall
information security? Business requires reliable information
security to ensure company information is well protected. Lack of will or
means to protect company information assets won’t make business partners
comfortable. Information security cannot come from the IT department
alone. When was the last time an IT department asked for a new privileged
access management solution and had it denied by the business? This is a
common story from IT managers at conferences.
At a recent event, I was having dinner with a group of seasoned security
professionals. We started to talk about what does IT Security mean for an
organization. Some spoke of security management that focuses on things
like the number of vulnerabilities found and remediated. Others spoke
about how they kept hitting a plateau in terms of the number of
workstations patched with the latest Antivirus. But those remediations and
vulnerabilities wouldn’t matter to a business person unless they mattered
to the bottom line. One thing we found in common, businesses still have a
tendency to signoff on acknowledged risk until they are required to be
accountable for the security issue.
It is like driving a school bus with no adequate maintenance and
insurance. A school bus full of children (e.g. customers/employees
unaware of risk) who were assured by the bus operator that they’ve
done everything possible to ensure the safety and security of riders.
Meanwhile, the operator is rewarded by operating several bus routes
until one day a bus crashed, and many innocent lives are taken. It’s
not the bus operator’s intention to create any harm. As long as one
can get away making money without incurring cost to beat out the
competition, there will always be someone who is willing to turn a blind
Information security is similar in many ways. If you don’t update your
information security, sooner or later there will be an intruder roaming
around the network. It would simply be a matter of
time until your business operation faces the truth that many customer
records have been stolen or the intrusion showed up on the news.
Businesses tend to ignore information security when it doesn’t appear
relevant to the core business process. But the reality of the
matter is, many of business critical process today run on information
- Sending email to confirm order with your customer
- Finding delivery route using online map and GPS
- Receiving payment through wire transfer
- Process payrolls to your workers
- Online payment for your vendors
- Social network marketing
- Process and resource planning
- Research for purchasing supplies
- Processing customer order from ePOS
- VOIP or PBX/IP Telephone system for making sales call
Most likely some of your business operation has dependencies on information
technology. How much would it cost your company if your business operation
is disrupted for hours, days, weeks? Does it cost your company money if
you cannot deliver products to your customers on time? How much would it
cost your company if you couldn’t file your tax return on time? What would
it mean if your business just lost most of its customer records because of
weak application security?