It is all about Information Security Controls
in your Business and IT processes and solutions
Many organisations used spreadsheets to practice risk and security management and also proof their assurance via spreadsheets, which is time consuming, costly and not adding any business benefit.
Due to constantly shifting regulations, businesses today are having to audit their IT compliance requirements on average four and a half times per year. Now more than ever, the act of adhering to regulatory requirements requires an ongoing commitment.
IT staff still find it difficult translating security controls into concrete actions in the initial phase of a design and build of software. Because of this complex processes, employees focus on continuous maintenance of documentation to please internal and external regulators, instead of value creation for customers.
Without an automated process security & privacy by design and continuous delivery will not be possible. Compliance processes are complex and time consuming, often manual and the evidence has to be found numerous times for different audits, reviews and different regulators.
Security was mainly IT-oriented and the main focus was on using IT controls to mitigate or detect security vulnerabilities. The state of security in 2010 shifted towards ‘information security’.
However the number of IT security incidents has increased over the years, as has the financial impact per data breach. Mastering emerging technologies such as big data, Internet of Things, social media and combating cybercrime, while protecting critical business data, requires a team instead of a single IT person.
IT security controls are implemented based on best practices prescribed by vendors, without a direct link to risks or business objectives. These controls are depended on technology and the audits and assessments (in spreadsheets) were used to prove their effectiveness. The problem with this approach lay in the limitations of mainly IT-focused security and security experts working in silos with limited, subjective views of the world. This is important, as information security is subject to many different interpretations, meanings and viewpoints. In the case of IS, this refers to interactions and reflection between actors e.g. the business, data owners and industry peers on the appropriate level of risk appetite and security maturity.
The failure of ‘expert knowledge’ in impact estimations and to the importance of experience beyond risk and IT security, such as collaboration and reflection.
To protect this data, security professionals need to know about the value of information and the impact if it is threatened. IT risk management requires different capabilities, knowledge and expertise from the skills of IT security professionals.