APAC IT security still mistake-prone

SINGAPORE--Although IT security mindsets in the Asia-Pacific region are maturing, many enterprises still lack the right approach toward corporate security management, according to an analyst.

One of the common mistakes organizations make is they tend to view security from a purely technological perspective and not as a business issue, Edison Yu, industry analyst for Asia-Pacific ICT practice at Frost & Sullivan, said Friday at a customer seminar organized by Fortinet.

"Companies in this part of the world think 'If I have the right technology that's good enough'," he later told ZDNet Asia.

Security is also typically the responsibility of IT departments, such that when something goes wrong, the finger is pointed at IT personnel, noted Yu. Instead, there needs to be "shared responsibility" between IT and business units. Business leaders should also be accountable for their department's compliance to security policies.

Another problem in the current corporate security landscape is that processes and technology are in place, but the element of people is not addressed adequately, he added. With Web 2.0 and the use of social networking, there are a lot of avenues to leak out confidential information and organizations need to manage this by inculcating the right security mindsets in employees.

According to Singapore-based Yu, businesses need to sharpen their risk management senses by adopting the following enterprise security habits:

1. Proactive approach--prevention is always better than cure. Have a proper framework that dissects every business process and addresses the security requirements for each of these processes.

2. Defense-in-depth--it is not enough to just tackle external threats by securing various points such as perimeters and endpoints; internal threats and risks must also be addressed.

3. Deeper organizational involvement--everyone has a part to play in protecting a company's information assets. Treat employees, not devices, as the endpoints and educate them on security risks.

4. Integrated and intelligent security management--ensure that there is true integration and communication between different security tools, otherwise it would be working with silos. Consider options that offer ease of management, such as unified threat management devices.

5. Management of extended enterprise--take into account access of, and transactions with, third parties such as business partners.

6. Tapping on information security as business enabler--security certifications such as ISO and Cobit (Control Objectives for Information and related Technology) not only enhance the integrity of systems, but inject confidence to the organizations as well, which can lead to business opportunities.

7. Integration of people, process and technology--technology and processes are important, but bear in mind that people are the weakest security loopholes, so education and the enforcement of rules are necessary.