IT security is most closely associated with terms such as antivirus, trojans, phishing, spam and identity theft. But putting out fires caused by that kind of malware is not enough.
To Neil Macehiter, analyst and co-founder of IT advisory firm Macehiter Ward-Dutton, the key challenge of enterprise security is to understand what is happening in the business, and its implications for IT and, therefore, security.
At Information Age’s Enterprise Security 2006 conference, Macehiter highlighted three significant changes within the business environment that are affecting the way security should be managed.
The first is globalisation. Technology has created an inter-connected network of customers, partners and suppliers across the globe. But as Thomas Friedman points out in his book The World is Flat, this explosion also means that every person is now potentially an equal – and competitor – of each other. And just as IT is an enabler of globalisation, so IT is the only way to further exploit the advantages that globalisation presents, says Macehiter.
However, this expansion has created the need for greater transparency within organisations, obliging companies to comply with numerous legislative requirements: In the London financial market, transactions are subject to a total of 42 different pieces of legislation.
Neil Macehiter is a co-founder of IT advisory firm Macehiter Ward-Dutton and consults across a broad range of IT issues, including enterprise architecture, service-oriented architecture, virtualisation and identity management. Prior to this, Neil was research director for IT analyst group, Ovum.
“You have to shift away from this functional orientation in IT, to one that is horizontal,” says Macehiter. “This has significant implications for security because suddenly these stovepipes that you have relied upon for access to information, and the way it is secured, are different.”
THE SECURITY PARADOX
Taken together, globalisation, compliance and organisational differentiation are radically affecting the way IT is thought about within businesses. But Macehiter is sceptical that the resulting approach to enterprise security is reflecting this business reality – and he points to a number of paradoxes that have appeared.
First, organisations appear to be investing inversely to how important they think these areas are. Security is a ‘poor nephew’ next to initiatives demanded by the business, such as implementing customer care systems. This creates a key challenge as security officers build business cases for security investment.
Organisations are also ignoring internal factors. Rogue employees accessing and stealing classified information, shared passwords and corporate information contribute to this risk. Availability, accessibility and confidentiality are all issues that have a direct impact on productivity and competitiveness.
The IT department needs to think strategically on how business objectives impact security – and then create a long term, overarching security architecture for the organisation. This means engaging all the stakeholders concerned, including auditors, enterprise architects, line-of-business managers and IT strategists. And that communication should be in a language familiar to each stakeholder group.
“They are not concerned with Bayesian algorithms for dealing with spam,” he says. “The dialogue needs to shift to one of improving employee productivity.”
Only then will security be an enabler, adding value instead of being a cost.