Infosec 08: Make security part of corporate culture

gallery

Preventing the next data breach requires corporations to undergo a complete change of culture when it comes to security, according to a new study.

The report, produced by the Cyber Security Knowledge Transfer Network (KTN) and released during the Infosec 2008 show, examined how businesses can make the data they hold more secure.

It said that organisations must be aware of the importance of data security, because of the legal and financial implications, as well as the ethical ones.

The KTN advised three steps. First, organisations must take responsibility for securing data. Businesses clearly see the benefits IT offers, but sometimes miss the downsides, explained KTN's director, Nigel Jones. "This is a set of problems we didn't expect," Jones told IT PRO. "Now we have to reverse engineer to workout these vulnerabilities."

Second, privacy must be built into all stages of product development, from the initial planning through to audits afterwards. "You need a whole life view of privacy throughout the system," said Jones.

Third, the responsibility for assuring private data is secure must rest with the top members of the company - not the bottom. Jones said that solving data insecurity isn't just about finding the right tech, but about seeing data as having value and as something worth protecting. "It's not going to require some large-scale procurement. You need to make someone more senior responsible for it," he said. "It's a culture change."

He added: "It's about understanding the value of information, giving it monetary value."

Following from that, the report advised businesses against delegating such responsibilities to a junior staff member - it's often been junior members of staff held responsible for recent data breaches. Jones said every company - large and small - must have one person responsible for further moving the issue into the spotlight.

"They must be high profile... but they don't have to be a security person," he explained. "Data and information is not just the security department's concern."

He added: "It's more important that the person has the ear of decision makers in the company."

Jones acknowledged that security has moved up the business agenda lately, following a series of high-profile data breaches.

But it said it will take time to solve these issues. "It's slow to change culture," he said. He called on universities to teach software development in a way which focuses on security, and for governments to enforce the legal aspects.

When it comes down to it, he again stressed that securing data is more about culture. "We need to get people to want to look after it like it was their own personal possession," Jones said.

For more Infosec 2008 coverage, see IT PRO's roundup page here.

Email to a friend

Print this page