Protecting business information--the most basic element in any business--should be the priority of firms in ensuring security and managing risks in their organizations, data from a global information security survey conducted by Ernst & Young revealed recently.
"The conventional way of handling security issues doesn't work anymore," asserted Gerry Chng, Far East Area information security champion, Ernst & Young. Chng said focusing on infrastructure, keeping the bad guys out, point-in-time security posturing, and focusing on compliance are just some of the security measures that don't apply anymore, considering the emergence of new technology.
The call for focusing on the information itself stemmed from various incidents last year when massive data was stolen from companies due to lax security. "Businesses need to protect the information themselves, not just the laptops, or the network," Chng stressed. "They need to focus on the information, and not just the hardware or the software because they are mere enablers to protect business information."
The survey, conducted from June 1 to July 31 in 2009 with 1,865 organizations polled in 61 countries, likewise found that emerging technologies are not only drastically changing the way businesses do their work, but how security is handled as well.
Chng emphasized the emergence of cloud computing as a prime example of the survey's point, saying it brings new challenges especially because the data doesn't reside within the firms' premises. "Cloud computing is heavily reliant on the Internet, so business continuity needs to be re-thought if ever connectivity goes down," he pointed out. "There will also be an increased demand for mobility from users, although it is expected that they would still want information residing on their physical machines."
The issue of compliance, on the other hand, is a rather tricky subject, according to Chng, especially if it becomes the primary driver for information security. "Security compliance is expensive, but can be very helpful. It, however, is not sustainable," he admitted, emphasizing that the best strategy is to understand the intent behind careful requirements, with compliance being a by-product of good security practices.
"Compliance doesn't necessarily result in good security," the security champion noted, sharing the example of Heartland Payment Systems, which experienced a security breach leaking 130 million contact records of its customers despite being security compliant.
"A good information security strategy should incorporate four things: proactive security management rather than point-in-time compliance; cost-effective security initiatives to meet regulatory requirements; within the bounds of operational challenges; and capacity to address risks from emerging technologies," Chng said.