Donald Barnett, Guest WriterElectronic commerce, communications technologies and the growth of the Internet are changing the world at a pace that few people would have predicted.
Lifestyles are being modified by new ways of shopping, new forms of entertainment and previously unavailable opportunities for working from home or on the road; while organisations have unparalleled opportunities to embrace new channels, products and services.
Organisations are striving to achieve their business goals while operating in a marketplace that is more dynamic and challenging than ever before.
The challenges that organisations face include:
Keeping pace with change, including regionalisation and globalisation;
Harnessing the Internet as a key enabling technology;
Meeting the challenges to operate in a secure environment.
Increasingly, organisations are recognising that security is a key business enabler in moving forward.
particular issues
While the above summarises many challenges common to large organisations, some industries have particular issues:
The financial-services sector is the principal target for phishing - that is, coaxing people to provide Internet banking log-on credentials to fake banking sites.
Also, virus and hacking risks are increasing. Important, financial- services regulators are setting some of the highest standards for security and continuity compliance.
Major entities in the information communications and entertainment sectors are concerned about intellectual-property protection, and there are instances of organisations unknowingly hosting contraband on their internal and external-facing systems.
The energy and natural resources or ENR sector is subject to substantial scrutiny under the various critical infrastructure- protection programmes of governments.
The ENR sector has also recognised the need for strong control of systems for safety and environmental protection.
Major manufacturers have not historically invested in security systems. With global networking threats, the potential for loss of design plans and/or market intelligence is causing many manufacturers to reassess their security strategies. Transportation providers, particularly in aviation, are under enormous pressure to secure all aspects of their operations, including back- office processes where information might be obtained that could be used to formulate a terrorist attack.
Governments must be seen to lead by example. In many cases, Governments operate the critical infrastructures and national icons that could be the target of attack.
Governments invariably drive the regulatory frameworks for other industries.
They are challenged to set compliance rules that are effective for security management and are also affordable to the entities that must comply.
A KPMG survey of leading organisations in the United States, Canada, Europe and Australia, found that they generally embraced seven core principles:
Security as an enabler
Security is no longer regarded as a support function. It is seen as a fundamental enabler to the future conduct of an organisation's business by making new products or channels viable. For example, new authentication techniques are permitting customers to be identified remotely to authorise high-value financial transactions.
Strategic focus
The security function needs to be strategic to effectively analyse trends, identify problem areas and ensure that policies are developed and implemented in a consistent manner.
Furthermore, security must be a core consideration in the organisation's strategic planning efforts, and in the early stages of business initiatives and projects, to ensure that security implications of these efforts are foreseen and addressed.
Security is managing risk
Security is about managing risk - this is its primary function. The security function must have strong integration with the organisation's overall risk-management framework.
Central coordination
Managing the increased risks associated with a changing environment demands increased central coordination to ensure that, for example, weaknesses in one division's systems do not place the entire organisation's operations at undue risk. The establishment of a strategic security group will facilitate, coordinate and oversee activities associated with managing security risks. In addition, such a group will be able to achieve efficiencies and increase consistency in the implementation of an organisation's security framework by performing tasks centrally that might otherwise be performed by multiple individual divisions.
Presence and authority
To be effective, the strategic security group requires a strong presence and visibility throughout an organisation. It also needs a strong authority mandate to take action. High-risk security-related issues must be on the agenda of the executive and audit committees as part of their corporate governance responsibilities.
Placement of security
The strategic security group is placed no lower than two levels below the managing director/CEO in an organisation's management structure to ensure appropriate authority and visibility.
Line management
Line management must have security responsibilities and accountabilities. The security function must be capable of supporting the organisation without diminishing or compromising line management's accountabilities and responsibilities.
Suggested Policy Framework
The security function should manage and drive a policy framework that describes the process for risk identification; policy development; identifying and reacting to drivers, for example legislation; securing effective stakeholder input; the hierarchy of approvals; and, development and ownership of related documents, such as standards and procedures.
Developing a comprehensive set of policies against the proposed policy framework is one of the first steps in establishing an effective organisational security framework.
In addition, the importance of updating policies continually to respond to newly identified risks is critical.
Business divisions are more likely to support centrally managed policies that clearly address an organisation's needs and that are practical to implement.
For this reason, the policy framework must accommodate the input and buy-in from business divisions in the development and review of policies.
Security now needs to be regarded as a business imperative - no longer an option.
Boards and senior executives have indeed started to recognise the need for active security management. Many of their shareholders, regulators and business partners are expecting no less.
As evidenced by the increased incidence of organisations commissioning security reports on their current or potential business partners, management has started to seriously consider the security implications of major projects and ventures.
A significant example of this is in IT outsourcing where it is now widely accepted as good governance practice to write contracts with independent security reporting being both a prerequisite to the contract and an ongoing requirement.
Donald Barnett has over 25 years' professional experience in the provision of IT advisory services in CARICOM, and a as partner of KPMG CARICOM.
