Security on a shoestring

Whenever information security is mentioned within most organizations there is a collective groan; the board don’t want to engage, staff don’t want to be encumbered and the IT department sometimes lack the guidance to implement anything effective.

From a security professional’s perspective the most disappointing factor is the board’s unwillingness to participate in this vital part of their business. Information security is often perceived as a disabler or an unnecessary expense which in turn dissuades business leaders from proper and necessary involvement. Neither perception is correct; security is not a product it’s a process and can be tailored to meet budget and business need – providing its implementation is proportionate, structured and fully supported by senior management.

Often, the assumption is that protection is only delivered by wholesale security throughout all aspects of the business, so organizations take a chance on never being attacked, preferring no security to the effort required to deliver what they understand as security.

Information is one of an organization’s biggest assets, comprising the entire business output or the majority of its support. Without information most businesses are paralyzed, resulting in immediate or gradual decline and eventual closure. It is therefore imperative that all businesses, regardless of their size or their specific output, implement information security measures commensurate with the impact of data loss on their ability to continue trading.

Security must be proportional since imbedding effective security practices within a business requires effort to implement and maintain, and this effort needs support from the very top of the organization. Effectiveness of security needs to be judged and agreed as meeting a standard if the measures are to have any meaning outside the organization.

Traditionally, this has not been cheap, especially since information security entrusts the majority of the protection effort in technology, and the most frequently adopted standards are expensive to implement and subjective in their validation. Subjectivity introduces an element of chance that investment will not result in certification, which fosters a culture of over-engineered implementation and added expense.

To be attractive, security needs to be cheap to implement, validate, verify and maintain. But cheap must never mean sub-standard and this is the point at which the balance must be struck.

Sound, clear and endorsed policies are a low-cost way of setting all security onto a firm base. There is little value to investing in technology if no clear idea exists of what it is expected to achieve. Starting with the basics can negate some of that expensive technology or put it to better use elsewhere, reducing the cost of implementation and maintenance. All good security, and information security is no exception, must be structured and coherent; security by chance isn’t security, it’s just chance. It is a tired cliché that a consultant is someone who charges to tell you something you already know; however, just because it’s known doesn’t mean it’s managed.

Small, manageable and clearly articulated steps can deliver security of information to a degree dictated by its value with minimal impact on the business. Incremental delivery of security measures allows for small, financially constrained organizations to implement security of their information assets as effectively as a global conglomerate. Rather than the £1000 safe to protect a £10 note approach, workable processes, aligned with the value of the information, are just as effective at providing a secure environment as technology.

Increasingly stringent security increments also offer flexibility for simple expansion to meet new business opportunities as well as adaptation to counter new threats. Objective validation will also reduce cost, since implementation of measures required by such a standard can be clearly calculated enabling the amount of investment to achieve them to be finely judged. A means of reducing risks that is effective, manageable, incremental and cheap; anyone on the board interested in information security now?