Analysis: Experts discuss security in a recession

Benchmarking study highlights where firms are failing.

A recent benchmarking study by PricewaterhouseCoopers (PwC) suggests that much work still needs to be done to ensure that a combined IT and corporate security function is adequately prepared to protect businesses from 21st century threats.

The consultancy firm approached 10 of its FTSE 100 clients to carry out the study, finding that many lacked a joined up approach to security which led to silos in IT security, as well as other areas like anti-terrorism and intellectual property infringement, without any cohesion.

The exercise resulted in six key findings, including the need for greater collaboration between departments, and better understanding of the risks from third parties as more and more services are moved offshore.

"The ability to restore business processes in a timely fashion could have been improved across the board, especially when you see how many third parties are going to the wall," said Steve Wright, security and business continuity management leader at PwC. "We found that they didn't seem to do enough risk analysis."

The study also found that firms need to improve their people security initiatives, as only 50 per cent demonstrated significant amounts of employee vetting.

"In an age when the pressure on the family unit to maintain a roof over their heads becomes immense, more employees could be suspected of doing something illegal," said Wright. "It is extremely hard to iron out but, if you're not doing the vetting in the first place, it really will leave you wide open."

Jay Abbott, a senior manager in PwC's technology assurance practice, who carries out penetration testing and ethical hacking work, agreed that "the insider threat has, and will continue to be, the biggest area of risk", but argued that physical security also needs to be improved.

"There are easier ways these days to get data out of an organisation than hacking, and the techniques are all known about by organised crime," he added.

The benchmarking study also looked at the main areas of responsibility for a combined corporate security and IT security function in the 21st century. These included a good understanding of information assets, thorough risk assessment methodologies, business continuity preparedness, and rigorous incident management processes.

The PwC report also noted the importance of good leadership from the chief information security officer (CISO). "Tomorrow's CISO will be on the executive team and there to help steer the ship," said Wright. "The CISO's role is about giving people the options."

Nick Frost, senior research consultant at the Information Security Forum (ISF), said that conversations with the organisation's 300 members suggest that most see an increase in the threat from organised crime as the recession continues.

Cost-cutting has led in some cases to firms outsourcing and offshoring more business-critical processes than ever before, which increases the risk of data loss, Frost warned.

"It is unfortunate that information security teams rarely get involved [at the beginning], and the level of involvement needs to increase," he said.

Frost also highlighted the threat to mobile devices as they become more frequently used for authentication and payment. However, he said that ISF members are less convinced about data breach notification laws, believing that they may create a laissez-faire attitude among the public towards data breaches.

"Therefore when organisations begin to recruit this Generation Y, they could be more relaxed and happier to transfer data onto mobile devices that aren't properly protected, for example," he said.

Howard Schmidt, president of the ISF, and a former White House security advisor, was more upbeat about how firms' security functions are responding to changing pressures. He argued that security is no longer being treated as an add-on, but is being engineered into IT infrastructure and business processes from the start.

Schmidt added that companies are also starting to see the benefits of what he termed "co-opertition", or the sharing of information with competitors in order to benefit from a collective experience.

"It's like all the ships rising in a dock at the same time," he explained. " It's about getting more return on investment from security, so the more information I get from a wider audience, the more valuable it is in determining how much I'm going to spend."