Several key trends are rapidly changing the operating environment within which we do business. Global competition, tough regulatory regimes, expectations of demonstrable governance by stakeholders, changing workforce demographics and finally rapid technological innovations have a significant impact on the way we handle and share corporate information. We will find ourselves having to manage the apparent contradictions that are brought about by, for example, greater demands for customer data access for business analytics against the need to preserve customer privacy (and therefore restrict access) as mandated by law.
Similarly, the opportunity behind access to business critical information at anytime and from anywhere, brings with it challenges in respect to the use and management of mobile devices such as laptops, smart phones or tablets which effectively render the corporate firewall redundant. And let's not forget the social networking element that is making its way into the business place, forcing us to rethink our policies in respect of employee expectations of privacy against the need to protect the enterprise.
And what about cloud computing? Taking full advantage of the savings that cloud services bring about will require us to relinquish control over our corporate data. This coupled with the fact that that information theft continues to be one of the most common types of fraud to which companies are susceptible (Kroll Global Fraud Report, 2011/2012) compels us to take a serious look at the arrangements we have in place to secure our information assets.
Theft of confidential information is on the rise because data is increasingly portable and perpetrators can access and remove it with relative ease. The need for ubiquitous access to business intelligence, integration of personal mobile devices into the corporate network and the opportunities associated with the extended enterprise present a target-rich environment for would-be fraudsters. We need a proactive approach in response to the complexity and volume of security threats our businesses will face.
Information Security is often considered to have three components; technology, processes and people. Traditionally, technology is seen as the key aspect of Information Security, which is not surprising, given that IT complexity is cited as the leading cause of increasing fraud exposure in most corporates (Kroll Global Fraud Report 2001/2012). But be warned, Information Security is not just an IT problem, and those who pursue a technology-only response may be disappointed.
Processes and people are not to be overlooked when developing holistic approaches to Information Security. This implies that we consider questions beyond just the tactical, and respond with strategy and transformation in mind, as follows:
The key elements of a holistic approach to Information Security that will enable us to answer these questions are outlined below, which include:
Having implemented these elements - Are we safe? Well, we can never be 100% secure, there are just too many variables that will cost too much. But we can come close and, at the very least, minimise our risks while maximising the opportunities that await us. 100 years of asa
Author: Kris Budnik MSc, CIPP/IT, is head Information Security, PwC.