Information Security Requires an Integrated Approach

September 1, 2017

Cyber attacks are occurring with increasing frequency, breaching confidential information and resulting in significant loss for both private and public organizations. A common response is to focus on implementing IT counter measures such as strong anti-malware software, smart intrusion detection and prevention systems, patches, and the latest encryption software. While these IT countermeasures are a critical part of the solution, a more integrated approach is required to truly protect an organization's information.

Information security can't simply be handed over to your IT department team / specialist and assume that your risks have been sufficiently mitigated. Integrated and enterprise-wide information security management programs must go beyond deploying IT countermeasures as the sole strategy to address all risks.

The Threat Goes Beyond the External Cyber Attack

Problems with non-IT or network data continue to be a factor. For example, in the December 2016 Manitoba Ombudsman's Report entitled "Privacy Breach Practises in Manitoba", it was highlighted that 59% of organizations that responded to their survey confirmed that the most common privacy breach continued to be the loss of paper information.

Additionally, insider threats and vulnerabilities, such as those outlined below, help demonstrate that organizations must implement programs that go beyond protecting solely against external cyber attacks:

  • Disgruntled former employees
  • Current employees susceptible to corruption
  • Mistakes made by employees due to a lack of training or awareness
  • Lack of internal policies and procedures
  • Insufficient understanding of privacy legislation and obligations
  • Absence of formal security incident reporting or information security classification systems
  • Corporate governance that does not monitor security activities or performance
  • Soft practices for collecting, using, storing, handling and destroying all forms of information
  • A corporate culture that does not prioritize information securing
  • Managers who do not set an example for the proper handling of information

Lack of an information security strategy or one that is only focused on protecting IT assets

I am not suggesting pulling back on tactical IT countermeasures, however, I am suggesting that a more integrated approach is most effective in building a comprehensive information security program. Management must take ownership of the issue similar to other critical corporate or business priorities by incorporating information security into their organizational governance, corporate culture, planning, performance management, and reporting. Only after these foundational pieces are combined with strong physical security controls, policies overseeing sound handling of all forms of information, and up-to-date IT countermeasures, can an organization start to form the basis of an integrated program.

Emergency Management is Critical

The final component of effective information security management is a nimble emergency management program. A day will come (its WHEN…not IF) when a data breach happens and how your organization responds can determine the severity of the damage to your business, your clients, and partners. Your response to emergencies must be well planned, resourced, tested and ready for a data loss event. I have been involved in ‘emergency' situations as a result of lost information and having a professional emergency response capacity was the key component that allowed us to gain control of the situation and resume operations while minimizing damage.

Integration is the Way Forward

The concept of an integrated approach to information security and the "convergence" of cyber security with corporate security policies and programs is not new. Several international standards and training organizations such as ASIS International, ISO, NIST, ISACA and the ISSA guidelines have adopted and promote this comprehensive approach.

As the importance of information security rises and the complexity of threats evolve, executives, and security professionals should be encouraged to address this challenge with the same level of integration that they would apply to any other business priority. At the same time, regulatory requirements and client expectations regarding the management of private information continue to grow. A sustainable information security management program must integrate cyber security countermeasures with enterprise-wide corporate security planning and practises.


Read More News

BPO Box 70010, Kenaston PO, Winnipeg, Manitoba, R3P 0X6