http://cio-asia.com/ShowPage.aspx?pagetype=2&articleid=3147&pubid=5&issueid=76 By Victoria Ho CIO Asia December 2005 "Security trends have constantly been on the top three lists in magazines and surveys," said George Wang, Chief Information Security Officer, Asia, Reuters Asia Pte. Ltd., in his keynote speech at the IDG World Expo SecurityWorld Conference & Showcase in Singapore last month. This indicates just how much priority IT professions place on security, which was also reflected in the full house at the day long event. Addressing the issue of security failure, Wang attributed it to three factors: people concentrating too much on security itself, security measures not aligned with business strategy, and the existence of a communication gap between senior management and IT professionals. All Out of Magic Bullets Seeing the "big picture", he said, begins with positioning - that is, establishing a security position that suited both company resources and business direction. "It has to be a long-term commitment and sustainable," he said. Along the lines of business strategy, the plethora of factors requiring consideration stretches from corporate positioning to the culture of the organisation. "Does your risk strategy suit your company's security culture?" asked Wang. Battling with legalities and regulations sometimes places a damper on an organisation's capacity to pursue the right security measure. Proper risk assessment is also crucial in establishing a company's "risk appetite" is - how much risk it can comfortably afford to handle within its security plan. Corporate culture is important too, he said. He addressed the problem of the communication gap that exists between senior management and the executives proposing the security measures, saying that the problem lay with ineffective explanation of security objectives. Senior management is often not aware or concerned with the measures. "Transform management into stakeholders," he recommended, so as to place personal interest in the hands of management. This transparency he advocates is seen in his other measures for clear and elaborate communication: not just upwards with management, but across the departments as well, "so that security gets embedded in the value chain." Engaging the entire organisation involves the technical people as well as Legal, Human Resources and even Public Relations (PR). Wang pointed out the importance of preparing a PR strategy to handle situations, be it an emergency or simply to better communicate with clients, in conveying the organisation's security strategy, or collecting their opinions and additional requests. Customising the company's security policy in this way also creates a uniqueness Wang feels is necessary for an organisation to work. "Conventional best security practices do not make strategy. These are tactics, applicable to all," said Wang. "Strategy is unique to your organisation." This brought him back to his earlier point on sustainability, because only through customisation would a company be in better position to tailor solution to resources. It may be elementary, but still worth highlighting how pointless it is to Viren Mantri shoulder a security policy that has a short life span and drains the resources of a company, no matter how watertight or textbook-perfect it might appear to be. [...] _________________________________________ Earn your Master's degree in Information Security ONLINE www.msia.norwich.edu/csi Study IA management practices and the latest infosec issues. Norwich University is an NSA Center of Excellence.
This archive was generated by hypermail 2.1.3 : Thu Dec 08 2005 - 07:45:58 PST