From IT Security to Information Security — How Technology Is Not The Greatest Challenge in Protecting Your Information Online

Technology Is Not The Greatest Challenge in Protecting Your Information Online

Michael Rothery, First Assistance Secretary for National Security Resilience Policy at Department of the Attorney General says that in order to deliver effective security and risk management the key question is "Who owns the risk?".

The challenge, in Rothery's view is that senior executives think that this is a technical problem so they appoint technical experts. When looking at the Corporations Act, he says that this is a fair translation of how to act upon information risks.

However, "the risk owner is the whole of the enterprise", he said. And that means taking a different view that is not solely focussed on the technical elements. This is because it is not well understood that the information and its security is a corporate conversation and not just a technical one.

For many senior executives, Rothery said that they believe that having delegated the responsibility to experts that their regulatory and statutory obligations are being met.

From conversations he has had with CIOs across different industries, Rothery says that they often feel caught in an impossible situation. The business is hungry for "increasing convenience, reaching customers online, bring your own device for staff, the cloud and wireless hotspots".

But in the same conversations, CIOs are being asked to cut budgets and deliver all this with improved security.

"The key fundamental thing we notice in the companies that have a relatively high level of cybersecurity maturity is this issue of understanding the value of information", he said.

"The easiest way to get the attention of boards is if you can monetise the value of information", he added. This means the CIO and the rest of the business are talking the same language - the "language of dollars".

One of the challenges for CIOs is that traditionally the value of IT has been measured by the functionality of systems rather than the data they handle.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Balancing act between confidentiality, integrity and availability. Information can be private today, public tomorrow but there is a need to ensure it isn't tampered with once it's in the public domain. Rothery believes that putting the data conversation in these terms can overcome the gap between the technology and business functions.

This leads to the establishment of an "information ecosystem". Rothery said, "We're not hearing IT security, we're not hearing perimeter. We're hearing about information and information ecosystem".

By thinking in these terms, rather than in system or security terms, the message of security can be aligned the more closely with the operation of the business.

One of the other issues raised by Rothery was how much of the data businesses rely on is no longer held strictly within the central systems of the business. Citing the example of an airline, ticketing systems, catering services, air traffic control, luggage handling and many other systems are handled by parties that work with the airline.

These sorts of close alliances are critical to many organisations. And the increased focus on information security is likely to lead to changes in how service agreements are negotiated and maintained.

Rothery said that agreements won’t just be about compliance with security requirements but will involve opening systems so that partners can see into each other's systems. For example, some customers might require access directly into service provider systems in order to see that appropriate information security measures are in place rather than simply accepting the service provider's word.

Read more: Security threats through the Cloud

In many cases, Rothery said that SMBs felt compelled to sign contracts with security provisions but lack the capability to deliver on those obligations. This might lead to new models where the customer provides the SMB with a development environment or security expertise in order to access the SMB's services or capabilities.

This will require increasing maturity as parties become more engaged in the information ecosystem according to Rothery. This extends to cloud providers who, he says, are improving in their openness. Whereas the locations of data centres and how systems were configured were closely held secrets in the past, many cloud providers are now more open and will share that information with customers.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Tags risk managementcloud providersdata centressmbEnexCSO Australiadata conversationwireless hotspotssenior executivesMichael Rothery(security Policy at Department of the Attorney General)cybersecuritinformation ecosystem

Show Comments