What price that knight in shining armour?

In a recent ACN interview Sabri Al-Azazi, CIO, Dubai Holding, typified the quandary IT finds itself today when it comes to security: an organisation’s business needs for agility and to operate in open and mobile environments have to be balanced with its security obligations to its stakeholders. Dubai Holding has adopted an open chequebook approach to security in that it will spend what is necessary providing the solution can be justified and it does not impact the group’s business flexibility. It’s a fine balancing act.

  • E-Mail
By  Colin Edwards Published  February 27, 2006

|~||~||~|In a recent ACN interview Sabri Al-Azazi, CIO, Dubai Holding, typified the quandary IT finds itself today when it comes to security: an organisation’s business needs for agility and to operate in open and mobile environments have to be balanced with its security obligations to its stakeholders.

Dubai Holding has adopted an open chequebook approach to security in that it will spend what is necessary providing the solution can be justified and it does not impact the group’s business flexibility. It’s a fine balancing act. Do you give business growth enablers such as mobile access free rein at the risk of compromising your data assets, or do you put on the heavy security armoury that will weight down your company’s agility?

To date, weighing up the pros and cons of different security measures has been a somewhat subjective ‘thumb-suck’ at worse; a difficult and imprecise task at best. Perhaps it is time to use both quantitative and qualitative metrics to get a better view of IT risks and what needs to be done to control them especially as there is now a third element to weighing up security measures — regulatory compliance.

It was a topic that came up at the annual RSA conference last month. Delegates were urged to start using metrics to make security decisions, but to keep any such methodologies simple and not get too pre-occupied with the quality of the data.

The metrics approach, in as much as can be summarised in this column, demands you audit your core information systems and classify them on a scale of say 1-to-10 on their importance to the business and the impact in terms of disruption or actual losses any security breach might have on them. Similar measurements are done for threats and vulnerabilities and the likelihood of them being exploited on each system.

The goal of using metrics for security assessment and needs is to prioritise security threats and vulnerabilities according to the degree of risk they might pose to a company’s IT assets. CIOs can then start to focus their physical and financial resources more effectively as they are in a better position to judge if they are putting the right amount of money into their security programmes.

It ends up being a risk-based decision where you have to weigh up the business impact of threats and vulnerabilities to core systems should a security exploit occur. In some cases, areas you thought might have needed heavy security are, in fact, not that vulnerable and any action beyond common sense security might prove an expensive overkill.

Security vendors will have you spend as much as you can on security, but in reality perhaps you should be thinking of investigating how this metrics approach can be applied to your organisation so that you start spending just enough on security — not more — not less.

||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code