Battening down the hatches for IT safety

SIR – The problem with most SECURiTY companies is that they are very product-driven. The client names their security ‘problem’, and the company can offer a product or service to ‘fix’ it. Good products can help – but they can also be a placebo lulling the end user, quite literally, into a false sense of security.

If the information security regime is to be improved in any given organisation, what is needed up front is full recognition that information security is a ‘whole business’ issue and not something solely confined to the IT Department.

A standard framework such as BS 7799 outlines good security practice that suits most types of organisation. The first step within any such framework is to understand the information you are trying to protect. To do that, you need to comprehend what information you have at your disposal, what its value is, what threats it is open to and the likely consequences if any of this information is compromised at any stage.

Here, of course, I’m referring directly to the risk assessment. By completing this assessment the end user may determine what IT security issues need to be addressed, what the priorities are for his or her organisation and where elements of the budget are going to be spent.

Once the end user understands the information at their disposal, the next step is to examine how that information ‘flows’ through the business. An IT-focused approach will probably identify any number of products to secure the necessary information in the place where it is normally stored. That said, unless there is an understanding of where and how that information moves in the organisation, you are faced with a ‘weakest link’-type scenario. Put simply, a weak spot in one area will compromise your entire investment in another.

The major point about looking at information security rather than just IT security is that plugging the security holes is not simply about products. What makes the biggest and most positive impact in shaping a secure environment is moulding employee behaviour such that Best Security Practice is built-in to the standard operating procedures and culture of the company.

Formal policies and guidelines are a fine starting point, but they must always be backed-up by training, enforcement and reinforcement to prevent any behavioural lapses.