http://cio-asia.com/ShowPage.aspx?pagetype=2&articleid=3147&pubid=5&issueid=76
By Victoria Ho
CIO Asia
December 2005
"Security trends have constantly been on the top three lists in
magazines and surveys," said George Wang, Chief Information Security
Officer, Asia, Reuters Asia Pte. Ltd., in his keynote speech at the
IDG World Expo SecurityWorld Conference & Showcase in Singapore last
month. This indicates just how much priority IT professions place on
security, which was also reflected in the full house at the day long
event.
Addressing the issue of security failure, Wang attributed it to three
factors: people concentrating too much on security itself, security
measures not aligned with business strategy, and the existence of a
communication gap between senior management and IT professionals.
All Out of Magic Bullets
Seeing the "big picture", he said, begins with positioning - that is,
establishing a security position that suited both company resources
and business direction. "It has to be a long-term commitment and
sustainable," he said. Along the lines of business strategy, the
plethora of factors requiring consideration stretches from corporate
positioning to the culture of the organisation.
"Does your risk strategy suit your company's security culture?" asked
Wang. Battling with legalities and regulations sometimes places a
damper on an organisation's capacity to pursue the right security
measure. Proper risk assessment is also crucial in establishing a
company's "risk appetite" is - how much risk it can comfortably afford
to handle within its security plan.
Corporate culture is important too, he said. He addressed the problem
of the communication gap that exists between senior management and the
executives proposing the security measures, saying that the problem
lay with ineffective explanation of security objectives. Senior
management is often not aware or concerned with the measures.
"Transform management into stakeholders," he recommended, so as to
place personal interest in the hands of management.
This transparency he advocates is seen in his other measures for clear
and elaborate communication: not just upwards with management, but
across the departments as well, "so that security gets embedded in the
value chain."
Engaging the entire organisation involves the technical people as well
as Legal, Human Resources and even Public Relations (PR).
Wang pointed out the importance of preparing a PR strategy to handle
situations, be it an emergency or simply to better communicate with
clients, in conveying the organisation's security strategy, or
collecting their opinions and additional requests.
Customising the company's security policy in this way also creates a
uniqueness Wang feels is necessary for an organisation to work.
"Conventional best security practices do not make strategy. These are
tactics, applicable to all," said Wang. "Strategy is unique to your
organisation."
This brought him back to his earlier point on sustainability, because
only through customisation would a company be in better position to
tailor solution to resources. It may be elementary, but still worth
highlighting how pointless it is to Viren Mantri shoulder a security
policy that has a short life span and drains the resources of a
company, no matter how watertight or textbook-perfect it might appear
to be.
[...]
_________________________________________
Earn your Master's degree in Information Security ONLINE
www.msia.norwich.edu/csi
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.
