Home & Office

Flexibility in security an ongoing process

Having a flexible architecture helps companies better adapt to changing business needs and cut unnecessary business risks, says a Verizon Business executive.
Written by Vivian Yeo, Contributor

SINGAPORE--Even as IT security professionals continue to grapple with changing business demands, flexibility of architecture and third-party risks need to be factored in, industry observers said at a conference in the island-state.

At the Secure Enterprise Summit 2008 organized by consulting firm Frost & Sullivan last week, Chau Chee Chiang, CIO at Singapore's Defence Science and Technology Agency (DSTA), said in a panel discussion that one of his challenges is to balance security with business agility and this balance is "increasingly harder to achieve".

Fellow panelist Ramesh Moosa, associate director of advisory at PricewaterhouseCoopers in Singapore, also pointed out that businesses are increasingly demanding for greater accountability and measurement of IT security investments.

In recognizing the importance of enterprise security, companies are putting in place formal structures--such as steering committees headed by Board-level executives--to ensure good IT security governance, said Moosa.

According to Thomas Frazier, security manager for the Asia-Pacific region at Verizon Business, besides focusing on business alignment, IT security professionals also need to pay attention to two other elements when it comes to managing enterprise security.

Flexibility in designing the security architecture is necessary, said Australian-based Frazier. Companies cannot assume that security perimeters will always be "structured" and have to factor in the ability to adapt to changing business needs and models.

Inflexible models are a leading cause of security breaches. Citing a study, Frazier said there were over 127 million breaches in North America last year, and while there was no official tally of disclosures in the Asia-Pacific region, the figure "is absolutely staggering". Some industry standards, he noted, are so rigid that businesses choose not to implement it, which leads to unnecessary business risk.

In addition, IT security professionals also need to pay attention to "the evolution of location of controls"--deciding what controls to use and where to place them, said Frazier. Anti-DDoS (distributed denial-of-service) software, for instance, would be more effective "in the cloud", while controls for targeted attacks and insider threats would be better situated on-premise. To effectively manage controls, IT security teams need to measure the effectiveness of the security controls used, he noted.

Are third parties secure enough?
Businesses also need to watch the security policies and practices of their partners. Referring to a Verizon survey on security conducted last year, Frazier noted that 39 percent of respondents said they had never looked into their partners' policies, while 12 percent indicated they did not know. These companies were being exposed to unnecessary risks, he said.

Ganesh Vanapalli, BT Global Services' chief security officer for the Asia-Pacific region, pointed out that in an age where many companies outsource non-core components of their businesses, security governance should extend to partners.

If that aspect is not looked into, fortifying individual organizations "doesn't help", said Vanapalli.

Editorial standards