Comment: Security must emerge from the shadows

“Organizations will benefit from bringing IT security out of the shadows and educating employees on the risks and the protection in place”, says Clearswift’s Wyatt
“Organizations will benefit from bringing IT security out of the shadows and educating employees on the risks and the protection in place”, says Clearswift’s Wyatt

Ensuring that a robust IT security set up is in place is a key priority for businesses today. However, look at any IT security vendor these days, and it’s likely the firm’s positioning in the market will be built, to a greater or lesser extent, on stopping and blocking threats and dangers – from a warning about a virus, a report issued on the insider threat, whatever it might be. The fact is that much of the security sector appears to rely on fear and negativity to sell.

And, sadly, this approach seems to be having a detrimental impact on the organisations they sell to. Far too many organisations approach IT security in a primarily fear-driven manner, and as for their IT policies, the vast majority are documents issued to employees when they join a firm, never to be seen again.

This has got to change.

The business IT landscape is now transforming at a more rapid pace than it has for many years. Just as Web 1.0 revolutionised the way we do business in the 1990s, Web 2.0 is now being adopted in the workplace at an ever-accelerating speed.

Recent research into attitudes towards collaborative web technologies in the workplace showed that more than half of business managers believe web collaboration technology is now ‘critical’ to the future success of their business.

Furthermore, it’s not just talking the talk: compared to 2007, when just 11% of businesses were making use of Web 2.0 technologies, over two-thirds of companies now allow use of web collaboration or social media tools in the workplace.

Quite a major shift, and one that is making a significant impact on the way employees use IT. But traditional stop-and-block security simply does not work within this new world. It doesn’t take into account the varying requirements of different departments or job roles, and it completely ignores the fact that many businesses do not want to completely cut off employees’ use of such tools. In fact, many businesses see considerable opportunity in making use of the contacts and influence offered by the social networks of its workforce.

IT security in this Web 2.0 world requires a new appreciation of security as more than just a cost. Businesses need to realise that modern IT security presents a real and measurable business value. This might include opportunities to engage new audiences, the ability to improve and enhance customer relationships and communication, and improve staff morale.

Security software alone, however, will never prove the most effective approach, or at least it will never enable organisations to realise the full value of security.

To be really effective, businesses need to demonstrate a shift-change in the way IT security is approached throughout the business. Often, that starts with the company IT policy.

It’s time for companies to get to grips with making a policy a living, breathing part of their business, something that is relevant to everyday corporate life and not just a tick in the box when it comes to an induction period (a third of those recently surveyed by Clearswift had not received any training on IT security since joining their firm).

All too often, a policy is simply a document that is referred to only when something goes wrong – almost proof that someone ‘should have known better’. There is little or no point in having an IT security policy in place unless staff across the business is fully aware of it and, more importantly, understand the reasons why the rules are in place.

Organizations will benefit from bringing IT security out of the shadows and educating employees on the risks and the protection in place. Security should not be a cloak-and-dagger affair, or driven by fear and reprisals. It should be open, visible, evolving and engaging – above all it should be born out of knowledge and understanding.

The old-fashioned approach to IT security borne out of fear and concern is just a hindrance in today’s enterprises. There is little or no point in having an established IT security policy unless staff across the business is fully aware of it and, more importantly, understand the reasons why the rules are in place. Policy, not policing, is the answer to ensure confidence is well placed to tackle the challenges that organisations face.



Andrew Wyatt joined Clearswift from Nokia Siemens Networks, bringing with him over 20 years of experience in the technology sector. Andrew was instrumental in developing Apertio into a world-leading telecoms infrastructure vendor, leading to its acquisition by Nokia Siemens Networks in 2008. He was also part of the executive team at Paragon Software, driving its record sale to Phone.com (now Openwave Systems) in 2000. Prior to this Andrew spent many years at Lotus Development in various sales, marketing and engineering roles in the US and international markets.

What’s hot on Infosecurity Magazine?