All-important board level buy in for security: finally here?
One IBM sponsored study in the United States found 85-percent of Chief Information and Security Officers (CISO) surveyed, that security awareness levels in the board room has gone up. Eighty-eight percent reported that security budgets also increased.
This is important for two reasons.
According to IBM Security’s Technical Lead in ASEAN, Nigel Tan, awareness for security and the need to act upon it, has reached the upper echelons. If before, security was mostly seen as a compliance that needed to be met, now there is shift in thinking towards security being needed to address risks.
When it was a compliance issue, organisations would have wanted to do the bare minimum, just to be able to check boxes. But now, a more risk-based approach actually requires thinking about security as a framework for the organisation to implement.
“This is an important fundamental shift because now you are looking at risk exposure and what needs to be done to cover that risk,” he explained.
The second reason that what the study uncovered was important, is because traits of an increased awareness can also be seen in Malaysia.
“We see it in our interactions with customers, that they are looking at things like mock table top exercises, of what to do when security incidents happen,” Tan described.
“A lot of organisations have built capability to detect breaches, but how to respond to it, still needs training,” Tan observed.
A good place to start actually is with an enterprise-wide risk assessment. One of the reasons for this, is to answer this: for the finite amount of resources that an organisation has, what are the key areas that they would need to prioritise?
In Malaysia, actual security frameworks are not truly put in place yet, and there is a predominant compliance-based posture amongst businesses.
Tan emphasised that organisations have to adopt a risk-focused view of IT security, quickly develop frameworks and put controls in place.
“They should also seek help. A lot of times, security expertise is a scarce commodity, so organisations need to look outside their organisations, especially if they are not in the business of security,” he concluded adding that it is important to have security teams and to seek help on how to improve security in organisations.