security-management

I asked criminals whether security measures ever deterred them.

This is what I learned

Ask offenders why they choose the target they do and they often reply: Because it was easy. And this is true despite the fact that security measures are in place. This tells us there is a real difference between having security and having security that works, Indeed, offenders tell me when I interview them in prison that they rely on security not being excellent; when it is excellent it puts them off.

So the key question is not the difference between poor security and good security as it is all too often mistakenly framed it is: What is the difference between good security and excellent security? That is the key question to address as we move forward. Some people say that the trouble with security measures is that they can all be circumvented, that nothing works. I believe this to be taking the wrong emphasis. The truth is everything works but only when effectively delivered developed and matched to risks in context. Now despite what some people say this is a really difficult task. Underestimated skill sets Many, including in my view many security professionals, have underestimated the skills sets required to be excellent at security. It is serious stuff. Think of it like this.

Every business process is a potential security risk. An excellent security professional team will understand all of these. Every single person is a potential security risk. Every excellent security team will understand all corporate roles. Every business process and every person will in fact be a key ally in excellent security. Security people who are excellent will understand the business, the risks, internal and external threats, match measures to risks, be proportionate, take account of freedoms, be sensitive to the aims of the business and ensure security complements these. Good measures needed to be matched by well trained people and they needed to work together and that rarely happened It is for this reason that I have been involved in developing the Outstanding Security Performance Awards . I think there is a good case for having standards, regulation and training; they are all in different ways potential contributors to good security and maybe excellent security too, sometimes. But we must realise that excellent security requires business expertise, a deep knowledge base, an ability to relate to many business departments (and therefore there is a requirement to understand them), and to engage people meaningfully in supporting actions that are not always their core interests.

I recall an interview I had with an armed robber a few years back now, but the message sticks with me. I was talking to him about the risks of getting caught, pretty serious if you are an armed robber. I thought this would be a constant worry. He said that he never worried. Assuming too much He was a prolific robber and rarely got caught. He argued that the trouble with security measures and security personnel was that they assumed too much. His point was, put simply, that good measures needed to be matched by well trained people and they needed to work together and that rarely happened. Well he was caught in the end of course although he said he was grassed (maybe, a lot say that!). Security needs to speak up for itself, argue its case: that it is a key business function, enabling the organisation to make a profit even in risky contexts.

Security people excellent ones at least are crucial parts of business, not nice to haves. We have shown this time and time again in successive Security Research Initiative reports. The question is: Is the security sector and its personnel ready for the challenge? Professor Martin Gill among, by the way, our Top 50 influencers in security and fire 2017 is sitting on a panel discussing current trends and the future of the security industry at IFSEC International 2017. Details below: Professor Martin Gill / Current trends and the future of the security industry / Security Management Theatre / IFSEC 2017, ExCeL London / 20 June 2017 / 10:20- 11:10 IFSEC International takes place between 20-22 June 2017 at London ExCeL. Get your free badge now. Visit Europe s leading security event in June 2017 Visit IFSEC International for exclusive access to every security product on the market, live product demonstrations and networking with thousands of security professionals. From access control and video surveillance to smart buildings, cyber, border control and so much more. It is the perfect way to keep up to date, protect your business and enhance your career in the security industry.

Click here to register your place now to join us at London Excel on 20 22 June 2017.

Top Down Security (or How To Learn To Love Information Security …

Originally published on the Darlingtons Solicitors Blog1 23.11.12

You say the word security to people and get a variety of responses or perceptions. Some people think of manned guarding and a nice guy who works the barrier and checks the CCTV images to keep everyone safe. Others go a bit Mission Impossible and imagine consultants dangling from wires, testing floor pressure pads in secure areas whilst hacking into the Pentagon.

And yet more others regale you with tales of every night club they have been asked to leave by a man in a black puffy jacket.

This post is not really about any of those perceptions, it is about a business enabler and how it is placed in successful organisations. I can appreciate that compared to Tom Cruise dangling from the ceiling this may appear dull, but as far as business goes, it s a bit more useful.

According to the Ernst & Young Global Information Security Survey 20122, there is a real gap between where Information Security sits within organisations and where it needs to sit. As Security Consultants we know this to be true and are also aware that other disciplines, FM for instance have also had a bit of a battle to get a voice in the boardroom.

Given the interconnected nature of so many business areas, joining the dots and having top-down policy and behaviour, has never been more important.

Milky Way and our Solar System image Ecology.com

As we are talking about Information Security (IS) let s put it in perspective. IT security is the vital technical security of IT such as firewalls, encryption, password policy, patches etc. How an organisation behaves with regard to security of information is a much larger area. (If the organisation s use of Information were the Milky Way for instance, IT might be our solar system see picture).

The rest of the organisation uses information in a myriad of ways, not always electronically and not always on a device (at least not one that IT is aware of ) the rest of the organisation may be vast and so the potential for compromised information is exponentially increased. Especially if everyone thinks that IT do security .

IT departments traditionally do not have a formal risk assessment mechanism. Risk is something a whole business faces not simply the systems in IT important as they may be.

An organisation s IS needs to be aligned to its Risk Appetite but if accountability for it is placed in IT then realising this will be challenging.

Business solutions are not always technical or IT based.

At the end of the day the users are people and people make mistakes or behave in questionable ways. Around 80% of data breach is generally accepted to be human error or malice. Technology can t mitigate all of that risk; you need to consider policy, procedure and education of these concepts through your organisation.

Hopefully you can see now why we are moving out of the realms of IT and into the realms of business centric solutions that cut across silos, not reinforce them.

Risk is a part of business, without risk there is no innovation and nothing can exist for long in a vacuum. Therefore it is vital to know how far you can push something before it becomes too great a risk. Not from an instinctual level but from a tried, tested and accepted level that comes from the boardroom via regular review.

So understanding your organisation s risk appetite and tolerance is vital. Aligning your IS policy and procedure to that appetite seems logical if not essential, yet 62% of organisations surveyed did not align IS to Risk Appetite.

How then can an organisation securely implement something like Bring Your Own Device (BYOD) which sounds on the surface like an IT project which won t be aligned to Risk Appetite? So in other words, the risk attached to allowing employees to use their own devices, which may mean access to corporate networks and drives, access to sensitive information, has not been assessed in terms of the business s overall appetite.

So rogue apps (which we hear about every week) for instance could be scalping data from the device on a regular basis and the user would be unaware. Previously, it was the user s data alone that was compromised, with BYOD the scope of data available increases vastly as an organisation s information assets open up to that user.

The Ernst & Young survey highlighted the need to bring Information Security into the boardroom. Perhaps asking who owns the risk or who is accountable for the Information risk is where to start.

Well according to this survey only 5% have Information Security reporting to the Chief Risk Officer, the person most responsible for managing the organisations risk profile. Placing responsibility within IT can cause ineffective assessment and alignment with not only Risk but with Business priorities.

If 70% of the respondents are stating that their organisations IS function only partially meets the organisational needs, it becomes clear that this is a ship that has set sail without a map. IS needs C level direction and input, it needs to have the support of the board, be implemented and understood top-down and really start to make a positive impact on business growth by enabling it to happen securely, with threat and risk awareness, accountability and mitigation.

It was initially encouraging to read that almost 40% of organisations planned to spend more on IS over the next 12 months.

But on reflection, if this is going to be mainly directed by IT departments unaligned to Risk, unconnected to the board and occupying a similar space as the sun in the Milky Way or an organisation s Information usage, it is doubtful that the dissatisfied 70% of organisations who feel IS is not currently meeting their needs, will reduce.

What is concerning is that this could end up looking like wasted spend on Security, when in actual fact it is merely a potentially unwise or undirected spend.

The upshot could be through a lack of board level understanding, that future spend then has a line run through it instead of under it.

E&Y visuals security survey 2012 1E&Y visuals security survey 2012 2E&Y visuals security survey 2012 3All data sourced from Ernst & Young Global Information Security Survey 20123, all visual representation copyright of Advent IM and not to be reproduced without express permission.

About these ads4

Like this:

Be the first to like this.

References

  1. ^ Darlingtons Solicitors (www.darlingtons.com)
  2. ^ Ernst & Young Global Information Security Survey 2012 (www.ey.com)
  3. ^ Ernst & Young Global Information Security Survey 2012 (www.ey.com)
  4. ^ About these ads (en.wordpress.com)