Information security needs to be the oil in the business engine, rather than the brakes, according to a keynote panel at Infosecurity Europe 2013.
In the past, security has been seen as the handbrake or even an immobilizer, rather than as a function that helps the business run smoothly. But that needs to change, a panel of information security officers warned. "Security needs to be integral to the business," said Brian Brackenborough, chief information security officer at Channel 4, the UK-based broadcaster.
Security, though, is too often seen as an inconvenience, or even a hindrance to the business. Sometimes that is because security measures are designed without enough consideration of the business' needs; often it is because security teams fail to talk in the business' language.
"If IT is 20% of the business and those using the services provided by IT is 80%, then find out the language used by the 80%," advised James McKinlay, IS assurance manager at Manchester Airports Group. "I don't believe enough people leading information security functions have set out their strategy, in the style of strategy papers used elsewhere in the business… you need to be aligned to the business goals."
Simon Lambe, global head of IT at Dyson, pointed out that in his organization, founder Sir James Dyson takes a personal interest in issues such as data protection, so board-level awareness is not a problem. "But engineers have to understand what is in it for them," he said.
"It may take us five to six years to develop a product or a component and we apply for intellectual property protection as late as possible. If that information leaked out [prior to that] we would lose that investment."
At Channel 4, Brackenborough said that staff are broadly aware of their responsibilities around information security, especially when it comes to data on members of the public. But he argued that education was critical to ensure that colleagues used the most secure option practical, such as SFTP rather than FTP.
This, again, depends on speaking in a language everyone understands. McKinlay found that running sessions on helping staff secure their home computers or personal devices was an effective way of educating them to use secure options at work too.
But Geoff Harris, international board director at the Information Systems Security Association, said that it is usually the most highly regulated companies – such as those in financial services – that perform best when it comes to following security best practices. In other sectors, however, performance is less good.
As a result, measures such as the UK's Department of Business, Industry and Skills' 10 Steps to Cybersecurity are welcome. "Government is doing its bit, but when I go into organizations, it strikes me how often they have not addressed the risks of infosecurity threats, where their assets are, and how to protect them."
The panel agreed that to change this, information security needs to move out of the depths of the IT department, and adopt a more visible role. "As an information security officer quite low down in IT, I struggled to get the message beyond the IT director," said McKinlay. "As IS assurance manager, I report to the risk director, and that is a very important step."
If information security specialists focus on IT, rather than on the business, they run the risk that their messages are not so much ignored, as overlooked, panelists cautioned. It may well fall to CISOs to work out their own, most effective, reporting lines. "You should report to wherever it is going to be most effective," recommended John Colley, managing director, EMEA, for (ISC)².