A brave new Europe?
 |  | http://www.securitymanager.net/magazine/article_462_new_europe.html |
There is a growing realisation among organisations, be they large or small, that they need to focus on 'what they do best' but also explore new initiatives. More than ever, this dichotomy involves both productivity and revenue optimization yet can be somewhat unsettling. For instance, how do you leverage the relationships you have invested considerable resources in without ‘opening’ the door to unwanted guests? With the drive for new areas of growth, it is apparent that organisations need to protect themselves from potential financial and productivity losses, not to mention the downtime, caused by challenges with extending the enterprise. According to a recent European survey conducted by IDC, respondents were asked to state the challenge associated with a wide variety of potential IT issues and then subsequently rank these on a scale from 1-5, with 1 representing no significance and 5 for very high significance. Security was stated as the top challenge moving forward, with three quarters of respondents ranking it as significant or higher while a full 38% of respondents considering it as the highest significance (value 5). While the rush of the late nineties might have been to connect fast, the reality of today seems to be to connect securely. This heightened importance is reflected across major economies of Europe, as shown in Figure 1.
How significant is Security in terms of IT challenge?
Security adoption however remains fear-driven in Western Europe
thus far, with 45% of respondents quoting the risk of a major
security breach as highly significant (rating 5 out of 5) while
security audit results (identifying security gaps) shows considerable
consideration in 23% of European organisations.
Excluding physical security to the business premises, how significant would you say the
following factors are in influencing your security infrastructure?
Historically, investment in security has been very reactive. This can
be attributed to a lack of awareness, as well as a lack of data
and models to assist in justifying business cases and planned
investment in security. Many investments in IT security are still in
response to unauthorized access or malicious activity occurring,
but there is evidence that security is increasingly being viewed as
more strategic by select corporations, especially those that pursue
an integrated Web-enabled strategy.
As organisations recognise the security threat is more than just a
virus or breach issue, we are seeing an increased appreciation of
the breadth of the security challenge. Figure 2 shows another clear
trend correlated to the types of challenges organisations face; that
is, the distinction between threat-led and strategic-led security
spending. For instance, risk drivers, being the most prevalent today,
are reactionary and more operational in nature due to either an
internal review of existing systems or external market forces.
Enabling drivers, on the other hand, are more aligned with
forward-thinking objectives and thus could be considered more
strategic investment than spending. Still, the way forward may not
always be clear. Combined with the diversity of the individual
technologies that are used to address these security challenges,
organisations are facing an environment growing in complexity.
The Changing Security Paradigm
The Changing Security Paradigm
Essentially, organizations are investing in IT security in an attempt
to protect corporate assets and mitigate risk. To achieve these
goals, however, organisations need to both identify the assets they
are trying to protect and the level of risk they are willing to bear on
those assets. By examining the risk factor according to business
principles, organisations are better able to determine which assets
are most valuable to them and how much they should spend on
protecting them. This solution-based view of security has
subsequently led to demand for services around consulting,
assessment and management to address security risks.
Increasingly, organizations seeking competitive advantage from
investments made to extend the enterprise will need to move away
from a reactive into a more proactive mindset by designing a
security culture that addresses the longer-term objectives of their
business.
Asset Optimisation Versus Risk Mitigation
Without question, as more and more business opportunities lie
"outside the firewall", security needs increase as companies open
their internal business processes to outsiders. This fact will force
companies to develop a more holistic approach to security and
it will push the demand for security expertise to deliver an all-encompassing
solution based on business need – not the reverse.
What is the holistic approach to security?
Holistic security means making security part of everything and not
merely a separate function. This bottom-up approach ensures
security isn't merely added to the enterprise; it becomes embedded
in all processes that enable business goals to move forward. Rather
than a necessary cost, in this way security becomes an enabler.
This has been driven by the need for enterprises to expand ‘trusted
relationships’ with customers, partners, suppliers and channels. To
improve security you will need to know more about who is being
authorised and what they are authorised to do as well as have
a level of assurance that all of this is being done properly. For
instance, as security becomes ubiquitous, people will improve the
processes that allow them to work more productively.
IDC's ongoing research amongst IT managers from establishments
actively engaged in e-business reveals significant security solution
"critical decision factors". These factors are a reflection of the
effort to balance widening access and effective security. These
include:
- Protecting assets from hacking by avoiding embarrassing Internet exposure and maintaining reputation.
- Integrating the security infrastructure by ensuring that the typically wide range of security products work together seamlessly and without excessive administration overhead from a single point of accountability.
- Enabling widened access to formerly "inside-only" content and applications to valued stakeholders while preventing unauthorised access both externally and within the organisation by ensuring valid credentials.
- Supporting e-business openness by ensuring that security does not block key business objectives with, for example, ease-of-use issues for external users or time-to-market delays for e-commerce business managers.
What's needed, then, is a roadmap for developing a holistic
approach to IT security not looking at IT security as a set of
isolated tools designed to address specific issues as they arise, but
rather as a total solution, which considers all aspects and addressescorporate/organizational imperatives for business continuity,
confidentiality and privacy, among other things. This brings security
into the bigger picture of risk assessment and management in
general. More specifically, a typical enterprise must address three
distinct yet interwoven risk areas;
- Physical Security
- Information / Transactional Security
- Business Continuity
While this study sets out to address information security only, it is
nonetheless essential to keep in mind security is part of a “greater”
picture and as such, can move issues out of the IT department
alone.
Where do I begin?
The place to start then is by undertaking an evaluation of risk both
prior to implementing security processes and solutions, and on
an ongoing basis afterwards. In formulating a proactive plan
necessary to implement effective IT security, many professional
security product and service vendors recommend a risk assessment
exercise in order to identify assets, threats and vulnerabilities, and
to develop a risk-minimized posture. In this way, the scope of the
risk at hand and resources needed can be earmarked. By extending
this then to the strategic goals of the organization, a plan can
be drawn up to prioritize the move towards holistic security in a
step-wise manner.
European organizations need to ensure that investment decisions
are made as a result of co-operation between the business side and
the technology side, that is between the CEO and the CIO. Because
key issues around security investment are more strategic today
rather than the technological push of only a few years back,
support of top management, including the board, is crucial to the
success of any security initiative. This is particularly the case when
considering the overall size of security investments. In general,
as security moves from point solutions to holistic solutions, they
quickly “outgrow” the decision making of IT departments in
isolation. While technology may be the facilitator to a desired end
state, it is overall senior management attention that will ensure
strategic alignment.
The study now strives to reinforce the above views by looking
at technologies, solutions and selected practical examples in the
market today. To this end, the remainder of the white paper is
divided in two distinct sections:
- Laying the Foundation looks at the here-and-now with security implementation levels today and solutions to address asset protection and secure access.
- Future Outlook then looks towards the design of new processes and future enablement most notably secure e-business and partnering.
To be continued in the next weeks...Published: 05/2004
Author: IDC / Steria
An IDC White Paper commissioned by Steria.
|
