IT security isn't about 'putting brakes'

For it to be effective, information security must be viewed as a strategic business enabler, not as a hindrance to a company's "ability to run fast", regional CIOs urge.

KUALA LUMPUR--Information security within enterprises should be viewed as an enabler of business rather than an impediment to growth, say industry players.

Jimmy Cuadra, CIO of ICI Paints Asia-Pacific, said information security must not be viewed as "putting brakes in a company to avoid accidents". Instead, it should be seen as enabling businesses to run faster, he said.

Cuadra likened information security to an effective braking system in a race car, where its purpose is not to impede the car but rather to enable the automotive to go as fast as it can.

"Information security is not about impeding businesses' ability to run fast," Cuadra told ZDNet Asia Wednesday on the sidelines of the SecurAsia Security Congress held in Kuala Lumpur, Malaysia. "Instead, an effective information security system will enable enterprises to grow in a controlled and safe environment.

He noted that some enterprises viewed information security as an expense and not as a strategic part of the business. Due to the pace at which technology is growing, security should have a strategic role and not one that is merely functional, he said.

Enterprises that want to keep ahead of the competition then have no choice but to invest in information security, Cuadra said.

Talk security in business sense
According to Vishal Salvi, chief information security officer of India-based HDFC Bank, it is important for top IT executives to articulate their company's security needs in business sense, rather than in technical terms. HDFC Bank is one of India's leading private sector banks, with over 1,100 branches and 45,000 staff.

"Business people do not understand technology," Vishal told ZDNet Asia, on the sidelines of the IT security congress. "Thus, information security should be implemented by business users rather than technical ones."

He noted that business executives, especially top management, must see the benefits of IT security articulated in terms of its business value. Only then will they view such investments as strategic, rather than an expense, he added.

To help board executives better understand the role of information security, Vishal said organizations should form a specialized committee aimed at helping all stakeholders work through the relevant issues pertaining to IT security.

"The committee should comprise all the business heads, including IT security lead, as well as the head of risk management. This way they can deliberate things together and form a cohesive information security policy where everyone's view is represented," he explained, noting that HDFC Bank operates on this model.

ICI's Cuadra added that it is impossible for an enterprise to have all the resources to tackle IT security challenges.

"As such, we need to identify the root causes, prioritize what needs to be done, divert resources to solve the challenges so that the business benefits can be experienced by the enterprise," he said.

During a panel discussion at the SecurAsia congress, Cuadra noted that IT security is no longer the domain of technically trained personnel. Instead, he said, there is a need to employ professionals who are skilled at negotiation, facilitating and marketing.

Cuadra noted that this is necessary because there is a need to change the mindsets of staff about security. "We need to be creative and design proper awareness programs, aimed at drumming in the message that information security is everyone's responsibility," he said.

To do this effectively, he added, enterprises need people with soft skills necessary to educate and monitor employees and manage the level of user awareness.

Edwin Yapp is a freelance IT writer based in Malaysia.