Business alignment, security define apps

IT departments too often implement applications to satisfy user demands instead of evaluating value-add to business and data security, says consultant.

SINGAPORE--Tech departments need to focus on both data protection and delivering business value, not simply put in place applications to please business users, according to a consultant.

Steve Lam, manager for technology and security risk services at Ernst & Young, said Tuesday that too often, IT departments have the mentality of creating the applications demanded by users to strike them off their to-do list, without really considering how they might impact business and security. He was speaking at a seminar in the island-state to discuss trends in security, networks and convergence.

According to Lam, "a lot of clients fail their first" attempt at putting in place a risk management framework. It becomes a "compliance for show" exercise as the framework implemented was not being practised or internalized by the organizations, he explained.

Singapore-based Lam also pointed to the failure to learn from previous mistakes, as a stumbling block in risk management. Additionally, the first buffer overflow struck in 1972, but over the years businesses and individuals have continued to fall prey to similar malicious attacks--the most recent being the unleashing of the Storm worm. People simply don't learn, Lam pointed out.

Enterprises, despite having their application developers work on debugging and refining of previous iterations of code, still find vulnerabilities--such as cross-site scripting and SQL injection--in their software. The concept of Web application security existed several years back but is still talked about today, he noted.

It is necessary to tweak traditional "risk and reward" models of spending as much on network defense as data is estimated to be worth, or making it as resource-draining as possible for hackers to steal information, said Lam. New parameters, he added, need to be introduced.

"Businesses need to look at risk and performance as an [integrated] investment portfolio," he pointed out, adding that there should be "centralized" and coordinated control over all related risk initiatives and programs.

Risk management also needs to be initiated from the top echelons of leadership, and be continuously monitored and evaluated, added Lam.