Guy Golan

Organisations face an increase in security threats, both in magnitude and complexity. Forrester, in a survey of in excess of 2 000 enterprises and small businesses (published February 2011)*, says business needs to deal with “a more menacing, capable threat landscape, respond to a growing body of regulation and third-party requirements, and adapt to an unprecedented level of IT upheaval”.
While the problem is indisputable, throwing money at it isn’t. Executives, who have already spent a significant amount of money on security solutions, are still unsure of whether their protection is adequate, says Alan Rehbock, sales and marketing director at Magix Security. And as the threats go up, budgets are more strictly monitored than ever.

“Budget constraints should not mean you don’t achieve a high and acceptable level of security,” says Samresh Ramjith, GM: technology and operation – security solutions line of business, at Dimension Data.

As a general trend, companies are adopting a back-to-basics approach, says Guy Golan, MD at Performanta Technologies. “The business must drive the need.”

Gerard Dumont, senior IT architect executive, IBM Sub-Saharan Africa, says management must determine which information threatens business operation. “IT risk management is no longer a strictly technical function, but a crucial management task that can provide direct business benefits to the entire organisation.”

Policy, process, people

Determine critical resources, then structure a policy, says Ramjith. Quantify the cost to business in downtime of services, and the impact of compromised or stolen data. “This will set the tone for the governance and compliance structure,” he says. Ensure that standards, checklists and baselines are included, and appoint someone who is responsible for adherence to the policy. “Employing the services of a consultant or a provider at this point will ensure access to a top quality ‘brain trust’ at an affordable fee. Long-term, it’s the right place to spend money and the best way to make it go further.”

Samresh Ramjith

“Once an effective security policy is in place and an acceptable security posture developed, it is imperative that organisations continually monitor their posture to make sure it remains intact,” adds Rehbock. Failing to do so could result in “breaches of the King III principles, the Companies Act and the soon to be legislated Protection of Personal Information Act. The results are not embarrassment or a slap on the wrist, but can be hefty fines and even incarceration for directors.”

Redundancy and overlap also needs to be examined, advises Golan. Business will typically buy a solution to plug a hole – when a problem arises it is patched without a full audit of what’s already in place. The result is that businesses own a number of different solutions that perform the same task. “Examine your environment. Document areas of overlap and choose the most superior solution,” he says. “Many products are so feature rich that it may be unnecessary to purchase new technology.”

An emerging trend in the SME market is a unified threat management system, says Ramjith. A consolidated technology stack, which fulfils multiple security functions on one console, and managed either through rental or purchase from a service provider, reduces cost and redundancy. “While functionality might have been deemed necessary through multiple tools, implementation was inefficient, overlap was unavoidable – there has been a distinct move in this market sector towards the centralised management console.”

The most important factor when considering a security landscape, however, is the people and the processes. The best technology in the world will fail if the basics are not covered, says Golan.

*http://www.forrester.com/rb/Research/forrsights_evolution_of_it_security%2C_2010_to/q/id/56886/t/2