For years, many enterprises have viewed IT security as a costly extra that has to be endured as a way to reduce risk, without providing any other value to the business. Recent years have shown that the importance of the risk-controlling aspect of IT security has been maximized, while IT security started to become a business enabler providing added value to the enterprise.
Recent estimates show that cybercrime costs the UK economy alone £27 billion every year. In January 2012, the World Economic Forum’s Global Risks 2012 annual report named cyber attacks as a top-five risk and the UK government raised cyber security to a Tier 1 risk to the nation. It is in the interest of every enterprise to put in place processes to prevent successful cyber attacks.
At the same time, the right security framework can very quickly help an enterprise become more competitive by enabling it to respond to changing market trends and customer demands. Security can, in fact, be an enabler of innovation. When a proactive attitude is taken to IT security, and it is woven into the culture of the enterprise, it can ensure that the business is agile, growing and becoming more innovative. An enterprise that can adapt to change also establishes confidence within its own staff and customer base, and is able to support its growth.
A properly planned IT security strategy, with support from the board, provides an enterprise with a solid security framework that is planned for growth. With a consistent, scalable security foundation and plan to build on it, there becomes less need for knee-jerk reactions as change happens.
Planning ahead will ensure that your enterprise has an efficient methodology to manage the impact of change before problems are encountered. Building this type of IT security framework will enable your enterprise to launch entirely new business initiatives swiftly. Being an early adopter of emerging technologies is necessary to gain competitive advantage and, instead of whingeing on the sidelines when new government regulations are introduced, being able to comply with these instructions more securely and cost effectively because you have anticipated them. This also allows you to take advantage of the new dynamism in your business as you leave the competition behind.
You have to ensure that your enterprise culture is open to innovation. The most successful companies are the ones that are cautiously open to innovation. It is generally the case that in any company culture, the more restrictions you apply, the less you promote innovation. Innovation requires a certain amount of freedom; however, this needs to be outlined and the limits carefully delineated. Compliance and regulatory framework have to be in place, but they do not have to be put in place heavy handily.
There are many ways to implement innovative strategies, particularly if employees may be resistant to new ideas because they restrict, or perceive them to restrict, freedoms that they already have. There are ways to break down this resistance. For example, if your sales teams are using unsafe methods of communicating with the office while they’re on the road, you should research the type of tools that would be better for the enterprise and which they would use with the least resistance. At the same time, an appropriate awareness program should explain that following and proving security in practice makes the enterprise look more trusted to potential clients, helping the sales team achieve its goals.
Looking into this example in a wider manner, in the early days of the Bring Your Own Device (BYOD) trend, most IT security departments considered the technology far too insecure to use, attempting to prohibit it. Later on they have realized that it is a law of physics that water will find its own level, accepting that BYOD was there and they should find ways to enable it through IT security controls.
There are management processes that have to be in place to ensure the IT security of an organisation and some of these are being deployed to deal with the risks of BYOD. Employees like to feel they can bring in the devices and connect them to the network. Talking about Google, Douglas Merrill, one of their ex- chief information officers, said “studies show that employees can increase company returns when they have the freedom to innovate by trying new software and new workflows. However, those returns disappear when employees are made to feel that their activities are illicit.”
As an example of how companies can give workers freedom without compromising security, Merrill described his experience at Google. “Google’s engineering culture was all about working the way you want to work,” he said. Employees could use any operating system and work from any convenient location – the office, home, a coffee shop, or wherever. As a result, it was impractical to rely on traditional security solutions, such as installing antivirus software on each device employees used.
Instead, Merrill said, Google addressed security by building up its infrastructure. For example, the company put antivirus protection on its mail server, which is the main source of viruses that infect the network. They also watched their network traffic patterns for any unusual spikes. Merrill said that enterprises need to find new ways to accommodate employees, while also securing their systems. Trying to change behaviour, like asking employees to stop using instant messaging or Gmail, only stands to stifle innovation.
IT security departments need to be aware of what their employees are up to and what is actually happening on the network.