QA | 29 April 2016
Information Security, or to use the current neologism Cyber Security, has traditionally been the responsibility of the IT department, and it is easy to see why. It was in the dark, distant days of the 1990’s that computing and Web access began to make their presence felt in the workplace. For many their first encounter with the World Wide Web was using Internet Explorer 4 or 5 on a Windows 95 computer, possibly at home. Computers and networks were just being introduced into the workplace and only a small group of people in the IT department knew how they worked and were responsible for them.
Throughout the intervening years Information Technology became more and more central to organisations across the world; the concomitant risks became greater, and still the responsibility has remained with the IT department. This was due in part to that department traditionally being the most aware of the risks facing the organisation from the ever-increasing number of cyber threats and, in part, to organisational inertia. Organisations appear unwilling to move the responsibility away from the IT department simply because it has always looked after security.
However, as the threats have become more sophisticated, more multi-faceted, more professional and more expensive they have left the IT enclave and entered all the facets of an organisation. Proficient attackers are known to focus on both the human and IT assets of an organisation searching for vulnerabilities they can exploit for financial, personal or political gain. Therefore it makes sense to include other parts of the organisation in the responsibility for protecting the assets of the organisation.
In order for any major organisational venture to succeed it is of paramount importance that it has high-level, preferably board-level, management support; and although this has now become a cliché it does not make it any less true. In the HM Government publication entitled FTSE 350 Cyber Governance Health Check Tracker Report from November 2013 stated that ‘75% of respondents had not undertaken any cyber or information security training in the last 12 months and 80% of respondents said none of their Board colleagues had undertaken any either’. How can the board-level executives of an organisation truly support an Information Security stance that they do not understand and protect the organisation from threats that they are not aware of?
Another department that can have a great influence on the efficacy of an Information Security program is Human Resources. By drafting effective policies and instituting, and, most importantly, actually following, some kind of disciplinary procedure for breaches of the Information Security policies the HR department can reduce the exposure of human assets to threats.
The HR department, or the Training department if the organisation has one, can greatly aid the Information Security program by providing relevant, up-to-date security training that actually addresses the current threats faced by the organisation. Little can be as enervating for the end-user as repeating outdated security training that does not cover the environment they are currently working within, or the threats they are currently facing.
The people that are involved in cyber-crime are, in general, early adopters of new technologies and new techniques; they are not focussed solely upon the technological aspect of cyber-crime therefore it makes a great deal of sense for the organisations they are attacking to use the same techniques to organise their defences.
Organisations should not rely solely on technology to defend their infrastructure, but rather, combine both technological and non-technological strategies into the Information Security strategy.
More informationSee QA's Cyber security training courses