The reality is that we are seeing a significant change in the use of technology with the adoption of social networks, cloud computing, complex value networks and the consolidation and virtualisation exercises currently underway globally that the current economic environment has accelerated. These will introduce new exposure methods and as fast as they are identified the industry will indeed close them. Now, in order to make good business risk based decisions that comply with legal and organisational requirements, it is much easier to identify a policy in regard to your organisations information or data, define the rules and ownership and so on and then set the access policies accordingly. Based on the criticality, you can of course determine where to spend your money on investment in training systems and safeguards.
How can certification help us tackle some of the infosecurity problems we face today?
Certification is important on a couple of levels. Individuals who are accredited have a baseline of knowledge and skill that should give confidence to their organisation in that they have a good competence level to develop, implement and run security systems and processes. This level of competence must be maintained by annual training and networking within professional organisations, such as ISACA, to ensure that their skill sets are maintained and enhanced through ongoing education and training.
ISACA is one of the few organisations in the world that maintains globally-recognised industry certification standards, and over the years more than 60,000 professionals have benefitted from the ISACA certifications. We never forget that the world continues to evolve and we are committed to listening to what the industry has to say and provide them with what is relevant.
What aspects of infosecurity should all organisations focus on today?
In this years CACS Conference we scheduled to look at a number of significant areas that organisations should focus on within the next 12 months a least.
One of them is the development of a sound information security policy that is based on the information or the data, not the processes to access it (which is an error that in my opinion many of us make). Heres an analogy: why build or invest in a massive infrastructure to protect a bottle of soft drink when the formula to make it is the critical element?
This is going to be more critical moving forward with the adoption and evolution of Web 2.0 technologies and more collaboration, as the amount of information that we are going to manage is going to explode. Now, once you have identified critical information and data, then authorised processes to access this information, there ought to be a focus allowing you to start moving to handling exceptions to the rules.
At ISACA, we have been working on a Business Model for Information Security, which you can find at www.isaca.org/security. This does not replace the many sources of security programme best practices out there. It does, however, provide a proper view of information security programme activities within the context of the larger enterprise, that in turn helps one to integrate the disparate security programme components into a holistic system of information protection.
What special challenges do you think the organisations attempting what youve prescribed thus far should expect to face?
Sign up for MIS Asia eNewsletters.