MUMBAI, INDIA: Not many CSO's would agree that sanctioned
security budgets are sufficient to build a holistic security ecosystem equipped to meet challenges from evolving global security risks.
Budgeting and investments are processes of aligning business outcomes with the need for security. Executive management expects a tangible return on investment and a level of assurance, which CSO's find difficult to produce.
In its absence, the rational for decision making has become subjective and traverses between, "So far no one has hacked us so why should we worry" to "Let us do what is required to meet our auditing and regulatory requirements". As a result, today, security investments are driven by the need to satisfy regulatory and compliance related issues and material asset protection, to ensure company's auditors provide the mandatory tick in the box.
Besides the more apparent budget inadequacy, this non alignment between security and business, results in a channeled flow of security investment towards process compliance, ignoring other vital aspects of data and application security, and a lag between investment and business actions.
Business need to align with security due to the increasing scale and pace of transformation of global business operations. Application development, IT operations and business processes are being outsourced, off- shored, and out-tasked, putting suppliers in control of business information and continuity of key business processes.
Global terrorism can cripple business operations and supporting infrastructure. The Internet, as a fast growing channel for B2C and B2B commerce, has brought in the related risk of data thefts and identity fraud. As executive management decides to use online channels or focus on core competencies, these business and environmental changes need to translate into an upgrade of the security ecosystems for safer business.
A simple business action can have serious consequences on the security ecosystem. For example, the growth of e-commerce required organizations to set up portals or trading sites. Traditionally, these organizations invested in network related defenses like firewalls and intrusion detection systems but failed to build secure applications.
As a result, when these applications were exposed to the Internet, application related hacks rose to 75 percent of all security breaches. An in-depth assessment of these organizations would reveal a deficiency in the application design and code; weak security processes, limited security awareness of application developers and administrators and inadequate application monitoring and security testing.
Due to the emerging maturity of the security industry and the limited predictability of security risks, security consultants are not able to fully certify an organization as being truly secure or assure executive management that there would not be a security incident?
