People are your best defence

As many as 81 per cent of chief information security officers (CISOs) rank data protection as an important or very important priority for their organisation during the next year, according to Forrester Research.

The prioritisation of data protection is correct, as few IT issues ­ let alone IT security issues ­ have achieved such interest at the executive level.

Data security is a top priority because breaches can be incredibly costly. If you collect sensitive customer data, you are not only bound by regulatory and legal requirements, but also by potential fines and legal costs.

In addition, breaches of corporate intellectual property or other sensitive corporate data might not make the headlines, but they can have a catastrophic business impact.

CISOs often view data protection as desktop and storage-level encryption, and perhaps deploy data leak prevention technologies.

While these have their place, what is missing, or not emphasised, is the process and people aspect of data security ­ application security, training and awareness.

Many security professionals that grew up concentrating on infrastructure are often unaware of the types of development environments and processes that are now dominant.

And as with any unfamiliar technology area, security leaders hold a diminished level of influence. CISOs often struggle to establish application security processes as part of a company’s software development lifecycle.

Application developers often view security as an annoying layer of cost and inconvenience. Security controls can slow application development and testing, and reduce the actual performance of tools.

With data security now high priority, there are strong arguments in favour of a more proactive approach to application security. Applications are the primary target of hackers ­ roughly two-thirds of vulnerabilities discovered by Symantec are web
application-related.

Estimates from the National Institute of Standards and Technology have also shown that fixing vulnerabilities after applications are developed has produced costs up to 30 times more than fixing during the design phase.

Given the inevitability of vulnerabilities and the trends in hacker behaviour, there are clear risk and cost arguments for proactive application security ­- finding and fixing vulnerabilities as early in the development process as possible.

Security training and awareness is another area that is rightfully getting more attention, because the little training that takes place usually tends to be superficial.

Your workers serve as a critical line of defence, and security training ties directly into the effectiveness of other initiatives.

For example, incident management equips the organisation to deal with unforeseen events, so a lack of training will result in chaos and confusion at the time of security breaches.

Lack of training also leads to unreported security incidents. Many people do not know what activities should be viewed with suspicion, or whether to report them.

Both endeavours ­- application security and training -­ promise to enhance data security, deliver good return on investment and improve programme effectiveness.

Jonathan Penn is vice president of security and risk management at Forrester Research. Computing readers can download free Forrester reports at:
www.forrester.com/computinguk

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!