ICT Governance Lessons From the Financial Meltdown
By Clive Ryan, Director, Advisory Services

Of all the lessons to learn from the credit crunch of 2008, one stands out. The interconnectedness of banks and the complexities of their systems left many institutions unable to see the full extent of their exposure until it was too late. It reminds us all that undetected risk is unmanaged risk, and unmanaged risk can easily become the death blow for an enterprise - and the partners it connects with.

ICT today - global connectivity, universal threats
If you're like many businesses, there's probably significant undetected, unmanaged risk in your ICT operations. The time to get on top of this is now, and you don't need to be a technologist to do this. But executives and managers at all levels do need to understand how to make and monitor decisions about IT security and - crucially - how to best deal with information security risk.

Managing the dual burden of threat and compliance
Consider two key factors. First, while global threats to information security are mounting, companies are not adequately protecting themselves. The UK Government's 2008 Information Security Breaches Survey reveals that 13% of respondents had detected unauthorised outsiders within their network; 21% of organisations spend less than 1% of their ICT budget on information security, 52% of organisation do not conduct formal risk assessments, and 79% of organisations are not aware of the contents of  security "best practice" quality standards such as BS7799/ISO27001.

The second factor is the compliance environment. What was once a trickle of computer- and privacy-related regulation has become a flood, creating significant compliance requirements.

To meet this dual challenge, organisations must take a more strategic view of information security.

And a strategic approach is, in most cases, the antithesis of what organisations are doing now. Over a period of perhaps 10 years, a typical company encounters a series of ICT security problems that drive the tactical acquisition of remedies: antispam, antivirus, application access control, authentication systems, VPN encryption…the list, and the spend, goes on.

This is what's called a threat-based IT security investment strategy. But it's not strategic, it's reactive spending -- and it's dangerously inadequate, because it frequently leaves vital business operations, processes and data unprotected.

A strategic approach to information security is different. It sees top managers developing a clear understanding of which IT processes underlie vital business processes, and taking considered steps to provide priority-based protection to systems. 

Britain piloted the world’s first standard (BS7799) for Information Security Management (ISM) and this has been internationalised as part of the ISO/IEC 27000 standards. ISO 27001 now contains international best practice for information security management, and already 11% of organisations have implemented ISO27001.

Adopting standardisation helps you do the following:

• Confirm IT security as an executive priority: Signal to yourself, your board and your C-level colleagues an organisational commitment to IT security by announcing your intention to achieve best practice.
  
• Begin bringing IT and management together: Pursuing ISO27001 will usually allow you to work with business-oriented IT security experts who can "translate" business priorities into risk-mitigating IT solutions. Let this translation activity mark the start of new dialogue in your business, where IT and management strive to align information security management systems with business requirements.
• Increase your appeal to customers: Businesses, especially multinationals, increasingly require evidence of information security management compliance. Pursuing compliance now enhances your attractiveness to potential partners, and may help protect vital revenue streams if existing partners instate new requirements.

All organisations now face hard choices about future IT investment. Pursuing standardisation can be a useful way of ensuring the right spend in the right place -- as well as a means of delivering new business insights that can make your management team better leaders. And that's the kind of investment that pays long-term dividends.

click here for further information or contact your account manager

Seminar on Payment Card Industry Security Standards and Compliance Feb 24th 2009 8.30am - 11.30am

If your business accepts payment cards and you require an update on payment card industry standards, eircom and it’s partner Espion will host a business and technology issues seminar at our new headquarters, in 1 HSQ on Tuesday Feb 24th. Click here for further details or to reserve a place. For further information on the seminar or to reserve a place, please contact Jim Urell or Clive Ryan.

Email to a colleague | Print this page