F5.5G Leap-forward Development of Broadband in Africa The Africa Broadband Forum 2024 (BBAF 2024) was successfully held in Cape Town, South Africa recently, under…
Here’s how security has changed in the business context
The past few years has seen information security undergoing a radical transformation. A discipline once seen as no more than a necessary evil, security tools have become an integral part of the business strategy. There is no doubt that innovation is now a vital part of the business strategy too, and at the core of all critical innovations is the secure exchange of information.
Information is the currency of the new economy. All businesses are reliant on the data we create and share, and at the same time, we find ourselves at war with unseen criminals who are trying to steal that information. The goal of any security business is to protect the data and manage the risk.
CSOs who are succeeding, are driving closer relationships between business innovation and security, and a large part of this is having a good security strategy in place.
Without the strategy, business innovation will not happen, and the company will be at risk. Moreover, too often we see the case where the business and security teams operate as disparate entities, and security is applied as an afterthought, instead of being built into the strategy from the ground up.
What they don’t realise is that it’s far more effective and far cheaper to build security in from the start, rather than slap it on at the end. Security practitioners need to work with the business, to understand what the key business objectives are, and ensure that security is built in accordingly.
A good place to start is to take a risk-based approach. Understand what the risks are, and how important information security is to the business. The understanding of risk needs to be an element in all investments and in all operational processes. This needs buy-in from the executive team or it will be entirely ineffective.
Companies need to find the balance between what they are prepared to spend on security tools and measures, versus an acceptable level of risk. Risk will never be wiped out entirely. Decide what the most valuable business assets are, and start protecting those first.
Determining what the most sensitive and valuable data is, and where it lives, is the first step towards preventing data loss, as is determining who has access to that data, and ensuring principles of least privilege. Understanding risk is crucial when deciding which tools and measures to implement to prevent data theft or loss, and it is now that security practitioners need to balance the amount they are willing to spend with the amount of risk they are willing to accept.
Business must be able to answer questions around what controls should be implemented, who is allowed to access, move and edit data, as well as what to do should these policies be ignored, or should there be an attempt to change or send this data outside the organisation. These are all elements to establishing what the reasonable and acceptable risk threshold is, and can be quite the balancing act between costs, risks and not smothering innovation and productivity.
Ultimately, it is about supporting the main business initiatives while meeting compliance requirements. Security must be seen in the business context.