IT told to fix security without 'bothering' business

gallery

Employee awareness of security issues may be important, but it is down to the security team to take ownership of the systems and their jobs to keep the company safe.

This was the view of Kim Aarenstrup, chief information and security officer (CISO) for Maersk, in a keynote speech at the Forrester Security Forum in London today.

Although he claimed security issues were now a “business concern with a tech component,” he said it was up to the technical security team to deal with it, not the rest of the business.

“What we want to do is take care of a lot of the security challenges… without really bothering the business side. They have their own challenges [and] the CEO expects the CISO, who he is paying a salary, to take care of these things,” said Aarenstrup.

Although this may sound like an obvious way security teams should be operating, Aarenstrup pointed out that a lot of security had been done previously via saying no and issuing policies, leaving the safety of systems in the trust of the employees using them.

He said: “There is no doubt that [employee] awareness is important on certain aspects, very important, but asking employees to try to take care of everything? Really we are not going to leave the capability of security, which is very complex, in the protection of our employees.”

“They should look after those areas where they are at their best and we should look after this one.”

With new technologies such as cloud computing and virtualisation, Aarenstrup concluded that security teams needed to “get rid of the old dogmatic thinking” and “conservatism” that previously dominated the industry.

He claimed that rather than saying "no" to something that business users request because it may seem risky, security teams should find a way to make it safe.

Email to a friend

Print this page