IRESS LIMITED As a security and risk professional, I am often asked 'how much security is enough?' Seems a simple enough question, but it manages to trip so many people up in terms of an answer. So what is the right answer? Is there a nice sound bite that one can give? Well, not really.
In a dynamic environment such as ours of increasing security threats, firms have a big challenge on their hands to ensure they continue to:
- Get their security governance structure right and clearly articulate roles and responsibilities
- Obtain executive level buy-in and sponsorship
- Base security investments on risk
- Use security as a business enabler, not just a cost
- Establish a security awareness programme
- Continue to assess and adjust their security capabilities to changes in the environment.
It's complicated
A day rarely passes without a press report relating to a security issue. All financial services organisations now face greater security threats to their people, assets and operations from such diverse sources including:
- Terrorism
- Fraud and financial crime (both internal and external)
- Organised crime, including money laundering
- Information security threats from hackers and computer viruses.
The level of complexity involved in managing such a diversity of threats means that cyber security has become a significant and increasing cost of doing business. The challenge is to develop a holistic approach to security management which responds to each of these demands in a coordinated, cost effective, and efficient way.
Where are firms focusing their infosec investment?
Our larger clients are spending millions in transforming their security functions and improving their security management practices across a range of areas, including:
- Risk management
- Information security
- Fraud and investigations
- Forensics
- Anti money laundering
- Physical security
- Business continuity, and
- Crisis management.
For many of our clients, this investment represents a significant shift away from the manner in which they have traditionally managed security. It is also placing huge demands on their security teams to develop new management skills, and it also places demand on their partners and service providers, including us.
The best fit model
We're seeing it becoming more common for organisations to strive for a 'best fit' solution as opposed to obtaining 'best practice' in every security matter. It's about being commercial and pragmatic in the way security is managed. Conforming to best practice is an extremely expensive exercise that does not necessarily deliver business benefits equal or greater to the expenditure required to get there.
A best fit model is about understanding what the risks are, and applying the most appropriate risk mitigation strategy to reduce them, as opposed to applying the best practice processes regardless of the associated risk.
So how much security is enough? A good place to start is to identify the top risks your business is likely to face and find commercially pragmatic solutions that remediate those risks. And that's exactly what firms must be focused on doing right now.
IRESS Limited published this content on 26 June 2017 and is solely responsible for the information contained herein.
Distributed by Public, unedited and unaltered, on 25 June 2017 13:40:05 UTC.
Original documenthttps://www.iress.com/au/resources/blogs/how-much-security-enough/
Public permalinkhttp://www.publicnow.com/view/3EC1419AA23C492999B48023C4955A4864F85AF8
