Security professionals are so focused on tools that they forget about the human element, and what people and process can add.
Speaking at an industry roundtable hosted by Websense, Mark Brown, director or risk advisory at EY, said that the accountancy industry spent 300 years trying to get to a shared qualification, but security professionals are trying to achieve that in a generation in “a leap of faith, but they are worried about making mistakes and move on”.
He said: “What does security mean to the business? You can look for a metric or try to quantify security, but you are looking in the wrong place.”
“Technology is only part of what you offer. It comes back to the element of understanding being breached, and boardrooms realise awareness is key and the whole company has the ability to make their staff security aware. Once governance and awareness is in place, you will be more efficient at what you do as the human and technology factors come together.”
Brown went on to say that any sector that deals with intellectual or valuable property will be targeted, so it becomes an economic rather than cyber battle and, if this is the case, a security manager can protect for a tenth of the cost.
“As boardrooms take notice, we see demand for security auditors and this has increased in the last 12 months and this is going one way, as there are too few people,” he said.
Carl Leonard, senior manager of Websense Security Labs, who hosted the roundtable, said: “You can see what has happened, but too many people are hung up on attribution. You can use that knowledge to better protect yourself; it doesn’t matter if it is a Government or a hacker after you.
Commenting, Amar Singh, chair of the ISACA UK security group, told IT Security Guru that he agreed that most organisations have very onerous procedures and processes to deploy technologies, and are not agile in their approach to general IT projects.
“That same attitude is reflected in information security and IT security initiatives. Cyber criminals and cyber activists do not have to present their case to the board, or go through complex and archaic project standards when they choose to cause cyber mayhem – needless to say, the more agile side will win,” he said.
Asked if there is too much reliance on technology than on people and processes, Singh said: “There is way too much reliance on technology. In attack after attack, the human factor turns out to be the weakest link. Right next to it is process failure, or lack of any process.
“Where there are processes they are so complex so that they are not followed. Technology is key and I am a firm believer in innovation through technology but you have to ensure that you help your employees, most of whom are “digital or cyber migrants” by teaching them how to protect their own cyber space.”