Business is changing. Our recent (or current) 1-in-a-100-year economic event has sparked a much needed renewed focus on corporate governance. For us in the risk world this presents an opportunity to emphasise the need for good governance and internal control. Risk management is a critical success factor for an organisation operating in the current and post-economic downturn world. One can assume that only those companies with strong risk management principles (and integrity) made it through the tough times intact. By itself this achievement can be utilised to instil confidence in consumers and clients which will have a positive impact on business. For example, adopting and implementing a compliance program such as ISO27001 (for the right reasons) exhibits appropriate management of information security and can be a business enabler. In time, with the increase in regulatory and compliance requirements, the inability to manage and market sound internal control processes adequately may become a barrier to take on new business or chase market share.
Coupled with the ability to outwardly display good information security governance is the requirement to be agile and take advantage of business changes while still maintaining a sound security environment. From a technology perspective this is the common problem of new devices and ‘business’ toys finding their way into the work environment without InfoSec having a chance to perform a risk assessment and implement the requisite controls. The increasingly blurry line between business and personal devices and associated communications exacerbates the issue. The greater the lag time between implementation and security the more risk the company faces. In a high performing environment the security team will be ahead of the curve and already have plans in place before the technology is brought in. However budget challenges in today’s environment while companies get back onto the front foot could impact the recruitment process and ultimately the capability of the InfoSec team to deliver.
Agility from the information security team is also important to support the business while they exploit opportunities. Some noteworthy activity tool place in the SA mergers and acquisitions space last year (HSBC & Wal-Mart), and according to the NY Times this global trend will continue due to low interest rates, cash surplus and distressed companies. InfoSec teams need to be involved in these deals from the start to identify and manage risks relating to the consolidation of environments, security models, culture and management of intellectual property. M&As can be a risky process for businesses, and support from the relevant risk management and assurance providers can help prevent unwanted surprises further down the line.
The trend of buy-outs and takeovers is also shaping IT Security landscape – Intel bought McAfee and IBM bought Guardium – showing that these giants recognise security as a key pillar of IT and not an afterthought. Their solutions may well provide a foundation to manage security throughout the IT lifecycle as customers require greater visibility and management of information. The recent purchase of Open Pages (GRC software) by IBM shows a well needed expansion into the broader risk management world outside of pure IT, so we can expect more end-to-end solutions addressing IT service delivery, architecture, business process and risk management.
Together with King III principles this new technology solution may provide the catalyst assurance providers need to collaborate and work smarter. We need to take a critical look at our risk assessment processes to ensure key risks are prioritised properly and have adequate coverage (defence-in-depth is nothing new to the Information Security world). The complexity and change in business environments necessitates collaboration as no single division has the capability to identify, manage or control end-to-end business risk. The other tangible benefit will be to avoid duplication of certain activities between InfoSec, Operational Risk and Audit (for example), which can either have a positive impact on the bottom line through a reduction in hours charged, or freeing up time to spend looking at more strategic risks.
In conclusion to this somewhat broad sweeping post, more can be done to improve and market information security risk in our current climate. External factors have resulted in trying conditions for many organisations, but they also do present opportunity and provide new solutions to assist business security management. Strong internal security controls limit operational costs and increase process efficiencies, both of which have an intrinsic link to external confidence. The value can also be less tangible, but means allocation of fewer resources to fire-fighting and more for strategic planning, resulting in cost optimisation and process improvement.