Companies must learn how to use risk to achieve the level of IT security they need, argues John Meakin, group head of information security at Standard Chartered Bank (SCB).
SCB is positioned as the leader in banking for emerging markets, with 500 offices in 50 countries around the world. So Meakin is only too aware of the potential security threats
the organisation faces. “We do business in the ‘riskier’ parts of the world,” he says. “Risk management is at the core of our business.”
That approach centres on making security relevant to the business. There are some fundamental questions companies need to ask themselves, he argues. What is valuable? What could happen to our assets if they are insufficiently secured? What is our risk? What do we need to do to reduce it?
This process should be as simple and as easy to understand as possible – as should the security policy it eventually produces.
“You need to make security available and accessible to all,” says Meakin. “Don’t swamp staff with the whole policy, but select what is relevant to everyone and focus on that.” And often staff are blissfully ignorant of security issues. Various surveys, he says, have indicated that as many as 80% of employees are unaware of much, if not all, of their employers’ information security policies.
But it is not just staff that needs to understand the importance of security. One of the biggest challenges of the IT department is to make the board understand, too, and here risk analysis can play an important part.
“One of the easiest ways to get the board interested is by showing them the threat of attack,” says Meakin. He managed to get the interest of SCB’s board by using a graphical representation – the “Information Security Threat Horizon” – that details nine key threats for the bank, how important each threat is, and how each would develop over the following three years.
But boards often demand hard figures on the costs involved in security breaches and the likelihood of their occurrence. And those numbers are not easily obtainable. Compared with the huge amounts of historical information on the cost of fire and flood losses, there is a distinct lack of actuarial data available to make quantitative decisions about IT security losses. To fill in the blanks, many corporations use internal experts to ferret out risk information on individual incidents in the sector.
Once board backing is secured, there is still the question of how to secure the organisation against the biggest risks; there is no single solution for all situations, Meakin maintains. At SCB, he chose to develop tools to determine what risks the company faced and what it needed to do to mitigate them. To reduce complexity and automate the process, his security department then built a database that had the risk design controls mapped into the system.
However, developing a security policy is just the first step, says Meakin. “You can’t just build a wall and stand behind it. Companies need to monitor and test security as they go along. It is no good just having [software update] patches – they need to be installed. That is the biggest challenge.” It is also a challenge that a lot of companies are failing to recognise, he says. “Monitoring is the Cinderella of security – very few organisations do enough.”
Deciding what is enough to minimise risk is not easy. It is, he says, something that can only be done through analyses of values, vulnerabilities and threats.