They say you should never judge a book by its cover, but nobody told PricewaterhouseCoopers (PwC). The latest volume from the consultancy firm is a case in point. A photo of the Great Wall of China graces the cover of Information Security: A Strategic Guide for Business, part of PwC’s Technology and Risk Management Forecast series.
Far from being an arty shot for its own sake, the picture is actually an apt symbol of the drawbacks with perimeter security: simply put, the wall proved not to be so great at repelling invaders.
Got the message yet? Underpinning PwC’s latest thinking, gathered together in the usual meaty tome, is the view that approaching security in a piecemeal way isn’t good enough any more. The 288-page guide outlines a best practice approach to preparing strategies, planning and implementing integrated security solutions. It also examines current and emerging trends and technologies in the security field.
The guide also aims to help organisations to align their technical and business agendas more closely and to gain better value for money from IT security systems. This is against a background of growing pressure on enterprises to implement tighter IT security controls, because new regulations will require directors to state their businesses are security compliant. There is also the need to ensure that organisations are protected from exposure to risk.
“Information security has never been higher on many peoples’ agendas than it is now,” explains Ciaran Kelly, senior manager for global risk management solutions at PwC’s Dublin office. The emphasis has changed though; the old way was based on the principle of security by exclusion, or to put it another way, keeping people out. Now security of inclusion is taking hold as businesses must provide access to various systems for internal employees and external customers, wherever either group may be. Such an environment also brings with it increased security headaches.
PwC argues that the time has come to look at the area strategically. Previously security was based around a series of ‘point solutions’ designed to address one particular area. The rise of spam over the past year aptly illustrates this. “Corporations are dealing with the spam issue but they shouldn’t take their eyes off the rest of security. Hot topics seem to take up too much of some companies’ time. They should think about security in a more holistic way,” says Kevin Findlay of PwC’s Global Technology Centre, a contributor to the book.
Kelly’s assessment is that security at the enterprise level requires tight management. “You wouldn’t have human resources or finance based on multiple processes,” he says. Findlay concurs: “All the products on the market are point solutions. There has to be a move to integrate them with a central management console. There are better reporting mechanisms coming through,” he notes.
One solution to this is to introduce encryption and authentication systems for email to verify the sender. This is a throwback to the public key infrastructure (PKI) technology touted by Baltimore in its days as a stock market darling — according to Findlay, the technology may be about to find its niche at last, but possibly not as originally intended. “The problem with PKI is it’s very hard to implement, there is no recognised standard and there are lots of proprietary solutions. It’s potentially going to be embedded into solutions. It will re-emerge in a different way,” he says.
Email protection used by Yahoo! has this technology and it is also being found in document management systems and enterprise resource planning software, he points out. “The drive for technology companies is to put better authentication in place,” Findlay adds.
PwC also revealed that very few Irish companies have an information security function that exists outside of the IT department. “I would say it’s less than 20pc,” Kelly indicates.
A good approach for companies to take is to make sure that security policies are implemented in a holistic way and to find the technology that is a close fit with its business processes. “The IT industry has always been about trying to match technology to business processes. In the security sector perhaps that needs to be restated,” Kelly concludes.
By Gordon Smith