Navigating the decision-making process for an IT security engagement

The changing IT environment puts businesses at increasing risk of security breaches unless they can effectively navigate the evaluation, purchase, implementation and ongoing management of their IT security engagement – both solutions and processes.

New technologies such as cloud, mobile and big data are enabling digital organisations, which rely on technology not simply to support operations but to drive business outcomes. These outcomes may include improved productivity, increased revenue, service innovation and competitive advantage.

As a result, systems and data have never been more valuable or at risk of attack. What’s more, the threats are changing daily, making the evaluation and purchase of IT security solutions a complicated and challenging endeavour.

Here is how you can navigate the decision-making process for an IT security engagement:

1. What is the organisation’s IT security risk tolerance?

When the bulk of a company’s technology was on-premises, any data classified as confidential could be placed behind a firewall. Today, maintaining very strong defences for all data and systems is simply too costly. So, a risk analysis is in order to determine the probability of a risk, estimate the potential impact and determine mitigation strategies.

2. What new tools are available to improve security?

It’s important to consider new available tools when updating IT security. Firewalls may not be a complete technology solution anymore, but they are still a critical piece of the toolkit. Companies may need to update their firewall, though, as the function has evolved from filtering traffic based on packet inspection to restricting traffic based on understanding of application behaviour. Beyond the firewall, there are many new tools and techniques that a business might employ as they expand their IT footprint, such as data loss prevention (DLP), identity and access management (IAM) and enterprise security intelligence (ESI).

3. How is the human element addressed?

Another key variable in today’s security equation is the human element. Employees who are not following policy or simply do not have the expertise to notice security issues with technology, they are using are usually the main cause of security breaches. This isn’t malicious behaviour on the part of these employees but, simply, an indication that they lack awareness. The obvious solution to this problem is educating employees, but companies may need help delivering such training. Technology may provide some assistance with mitigating the human element but, ultimately, training and policy will need to be updated to reduce the security risk.

4. What is the organisation’s current IT security risk profile?

One of the best ways to assess this is to engage a third-party security consultant. Professional auditors have both detailed security knowledge as well as real-world experience to help discover which security holes exist in an IT environment and which ones should be patched based on a company’s risk tolerance. If the organisation isn’t willing or able to invest in an external audit, the alternative is a self-assessment to get a sense of where the company stands on the path to best practices.

Moheb Moses, ANZ Community Director, CompTIA