In this article, Christos K. Dimitriadis, international vice president of ISACA, looks at how IT security can be a major driver for business and an enabler of innovation.
CKD
For years, many enterprises have viewed IT security as a costly extra that has to be endured and that does not produce value for the enterprise. The past two years, however, have shown that this attitude is one that can be fundamentally flawed. Even multinational enterprises have suffered data breaches and have lost substantial sums of money as a result.
Recent estimates show that cybercrime costs the UK economy alone £27billion every year. In January 2012, the World Economic Forum’s Global Risks 2012 annual report named cyber attacks as a top-five risk and the UK government raised cyber security to a Tier 1 risk to the nation. It is in the interest of every enterprise to put in place processes to prevent successful cyber attacks.
The right security framework can very quickly help an enterprise become more competitive by enabling it to respond to changing market trends and customer demands, while not putting themselves or their customers at risk. Security can, in fact, be an enabler of innovation. When a proactive attitude is taken to IT security, and it is woven into the culture of the enterprise, it can ensure that the business is agile, growing and becoming more innovative. An enterprise that can adapt to change also establishes confidence within its own staff and customer base, and is able to manage risk to support its growth.
A properly planned IT security strategy, with support from the board, provides an enterprise with a solid security framework that is planned for growth. With a consistent, scalable security foundation and plan to build on it, there becomes less need for knee-jerk reactions as change happens.
Planning ahead will ensure that your enterprise has an efficient methodology to manage the impact of change before problems are encountered. Building this type of IT security framework will enable your enterprise to launch entirely new business initiatives swiftly. Being an early adopter of emerging technologies is necessary to gain competitive advantage and, instead of whingeing on the sidelines when new government regulations are introduced, being able to comply with these instructions more securely and cost effectively because you have anticipated them. This also allows you to take advantage of the new dynamism in your business as you leave the competition behind.
Enabling innovation is something that ISACA knows a lot about. Consider the innovation framework in COBIT 5 (www.isaca.org/COBIT), and how to use it intelligently. You have to ensure that your enterprise culture is open to innovation. The most successful companies are the ones that are cautiously open to innovation.
It is generally the case that in any company culture, the more restrictions you apply, the less you promote innovation. Innovation requires a certain amount of freedom; however, this needs to be outlined and the limits carefully delineated. Compliance and regulatory framework have to be in place, but they do not have to be put in place heavy handily.
There are many ways to implement innovative strategies, particularly if employees may be resistant to new ideas because they restrict, or perceive them to restrict, freedoms that they already have. There are ways to break down this resistance. For example, if your sales teams are using unsafe methods of communicating with the office while they're on the road, you should research the type of tools that would be better for the enterprise and which they would use with the least resistance.
If you have a sales team that is using battered old laptops, you could find your IT security policy being tightened up quite considerably by the introduction of new tablet computers. You don't have to go for iPads; you can go for a cheaper tablet, as long as you consult your staff properly and do a good job of communicating the good points of the new technology.
This tactic will have additional consequences for your bottom line. If the sales team thinks that they are being given better tools to do the job, then they will feel appreciated. This appreciation could lead to higher sales and an increase in creative output.
In the early days of cloud computing, most IT security departments considered the technology far too insecure to use. That may have been the case back then, but there have been methods of securing enterprise connectivity to the cloud for a long time now.
It is a law of physics that water will find its own level. The same law can be applied to employees — if they have a new type of gadget that needs your corporate network to make it fully functional, they will find a way to use it. The explosive combination of the iPhone and Gmail ensured that the cloud not only darkened the sky of the enterprise but entered the inner sanctum of the network through the simple use of the employee’s enterprise network login. The growth of Gmail and its easy integration of calendar and contacts has forced IT security staff to increase the security on their servers and begin the process of making the cloud secure for the enterprise.
There are other management processes that have to be in place to ensure the IT security of an organisation and some of these are being deployed to deal with the problem of bring your own device (BYOD). Employees like to feel they can bring in the devices and connect them to the network. Talking about Google, Douglas Merrill, one of their ex- chief information officers, said: “Studies show that employees can increase company returns when they have the freedom to innovate by trying new software and new workflows. However, those returns disappear when employees are made to feel that their activities are illicit.”
As an example of how companies can give workers freedom without compromising security, Merrill described his experience at Google. "Google's engineering culture was all about working the way you want to work," he said. Employees could use any operating system and work from any convenient location - the office, home, a coffee shop, or wherever. As a result, it was impractical to rely on traditional security solutions, such as installing antivirus software on each device employees used.
Instead, Merrill said, Google addressed security by building up its infrastructure. For example, the company put antivirus protection on its mail server, which is the main source of viruses that infect the network. They also watched their network traffic patterns for any unusual spikes.
Merrill said that enterprises need to find new ways to accommodate employees, while also securing their systems. Trying to change behaviour, like asking employees to stop using instant messaging or Gmail, only stands to stifle innovation.
IT security departments need to be aware of what their employees are up to and what is actually happening on the network. ISACA’s COBIT5 is an innovative framework that can make security an intrinsic part of an enterprise, so that no unexpected events can surprise you. As an innovator, you will be ahead of – not behind – the safe adoption curve.
About the Author
International Vice President Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, is the head of information security at INTRALOT GROUP, a Greece-based multinational supplier of integrated gaming and transaction processing systems, where he manages information security in more than 50 countries in all continents. He has worked in information security for more than 12 years and has authored 80 security-related publications. He has provided information security services to the International Telecommunication Union, European Commission Directorate Generals, European Ministries and international organizations, as well as business consulting services to entrepreneurial companies. He is chair of ISACA’s COBIT Security Task Force and has served as chair of ISACA’s External Relations Committee and member of the Relations Board, Academic Relations Committee, ISACA Journal Editorial Committee and Business Model for Information Security Work Group.
He is a frequent speaker at IT security events around EMEA