UPFRONT Sweet ’n sour

When it comes to company security, balanced approach is what counts, according to Ofer Reshef, principal consultant and security specialist at technology solutions company Optimation. Reshef recently told invited audiences of IT decision-makers in Wellington and Auckland how they will benefit from picking and choosing from an extensive menu of tools, policies, technologies and practices. “It’s all about finding the good things for the diet: not too many sweet things and not too many sour ones.”
Recognition of the need to tighten security and privacy safeguards has been steadily rising over the past few years. Citing an annual Gartner survey of chief information officers’ strategic priorities, Reshef said security and privacy issues have risen from 10th to fifth place in the space of just two years.
Yet, despite its increasing visibility, says Reshef, many organisations still see security as technical issue. “It has to become part of policy development, the system development lifecycle, work practice and products.”
Organisations could benefit from applying balanced scorecard approach to managing their security needs, Reshef suggested, weighing up facets such as customer orientation, business value, operational excellence, and awareness and growth orientation.
In similar vein, he noted that organisations need to think carefully about how they can strike balance between paying huge sums upfront to fix potential security problems – which may never eventuate – or allowing problem to occur and only then shelling out to fix it.
It is important to find the “sweet spot” somewhere in the middle which best balances company risk against costly financial outlays.
Reshef also took issue with commonly used security risk models which balance the impact of security risk against the likelihood of it happening.
“It is relatively easy to measure the business impact of problem,” he said, “but since it is not at all easy to predict the likelihood of something occurring, most people end up putting most occurrences in the medium risk category.” This, he says, happens to such an extent that many security risk models lose their value, meaning and usefulness.
Reshef suggests that organisations concentrate on the potential impact on business. “If something is likely to have big impact on business you need to do something about it.”

Visited 8 times, 1 visit(s) today
Close Search Window