Information security managers need to better align themselves with company business goals to help embed security practices in an organisation, according to speakers at InfoSec 2013.
News International chief information security offficer Amar Singh said that security managers often fail to successfully engage with the wider organisation, and place too much faith in the latest technological innovation, viewing these security system tools as a "panacea" in protecting against risk.
"I may already be secure with what I have, so just because I have a budget doesn't mean I go out and spend it on something. I believe in tools, but the problem is tools are seen as a panacea," Singh said.
"Do I really need an intrusion detection system? I may get a great offer from IDS suppliers, but what happens after? I have to invest money in implementing IDS, training people to use IDS and so on. On the face of it, it is a great investment, but people don't always think about the cost of operations, and the daily running of the tool. That is why a lot of the time things go wrong, by overcomplicating."
Part of the problem is a lack of understanding of the business goals, and Singh, who is also chair at ISACA, believes that security managers need to emerge from the IT department 'bubble' in order to ensure that a dialogue is maintained around information security with other parts of their company, be it at board level, or with end users.
From an end user perspective, this can mean ensuring that anyone in the organisation is able to approach the CISO or their staff, making it is easier to create awareness around risks faced by an organisation, something that is not necessarily achieved by throwing money at new hardware or software systems, he said.
The threat around information security continues to grow, and for the media industry, information security risks are increasingly significant, as evidenced by the recent Associated Press Twitter hack, which caused US markets to spike temporarily. These sorts of threats of cyber attacks are mounting for all companies across many industries, Singh pointed out. But while there is no silver bullet approach to prevent a successful attack, risks can be mitigated by ensuring that there are strong communications channels with end users.
"The question is, how can you have control of, for example, the AP Twitter account getting hacked? The reality is that there is no way to control it, because you could have accessed it from anywhere - from your mobile, or from any machine on the planet.
"The only way you can influence and reduce the risk is that, if you are the user of the Twitter account, hopefully I would have engaged with you and I would have shared with you the necessity of having strong passwords, and not sharing passwords. Yes you need to invest in tools - but you need to build a culture where everyone talks about information security."
Also speaking at the InfoSec event at Earl's Court in London as part of a panel discussion on 'Changing perceptions: Embedding information security in the business', head of information security at Manchester Airport Group (MAG), James McKinlay, highlighted the need to "build bridges" with other parts of the organisation and evolve their role within a business.
"Getting involved with people all the way across the business really helps your case when you want support for changing things and getting over the resistance to change," he said.
"The world needs to move on from thinking about information security as being computer security. Information security is much wider and has to build bridges with the business."
He added that a more strategic approach in line with other business priorities is needed to ensure information security staff are able to influence risk management across an enterprise. "I don't believe enough people who are leading an information security function have set out a strategy in the style of a paper that has been agreed by the IT director, risk director and laid a business plan aligned to the business goals," he said.
"If you are in a larger organisation it will have a mission and a vision, you should really adopt that sort of approach and put it in a strategy paper. I think this a great way of getting information security embedded in your business practice."