ICT spending drops, but investment in IT security a priority

Peter Dinham
Thursday, 08 October 2009 11:21

IT Industry - Market

“They’re looking at putting in place an information security framework that works for their specific governance needs, rather than just implementing disparate point solutions.”

“A more holistic IT security strategy is being driven by a heightened awareness amongst auditors, regulatory bodies and governance boards as a result of corporate security breaches and financial failures around the world. Clearly, this climate is exacerbating the need for tighter governance requirements – and organisations are trying to find ways of dealing with that pressure.”

O’Loughlin said he believes the industry had arrived at a tipping point in IT security, where “data needs to become the primary focus of security activity because after its people, data is an organisation’s most crucial asset. Protecting data, instead of simply the network or systems, requires a shift in mindset as well as technology.”

O’Loughlin explained that most security solutions are perimeter-centric - protecting perimeters (firewalls, VPNs, etc.) and resources (laptops, servers), and he said that “while they are necessary components of a comprehensive security strategy, they protect the infrastructure that contains and processes information, rather than the information itself. An additional risk, in a perimeter-centric security environment, is that when data leaves the protected assets or perimeters, it is often no longer secured.”

According to Dimension Data, it’s time for organisations to think about security from a combined governance, risk, and compliance perspective – based on DLP.
 
And, O’Loughlin said that although it uses technology to secure an organisation’s data, DLP is not really a technical issue, but rather a business issue, which, he added, “allows organisations to define and enforce an effective security policy for information flow in order to keep control of critical information such as blueprints, financial metrics, and source code, prevent accidental breaches of compliance and confidentiality policy, and support the user's need for ubiquity while using laptops or smaller devices.”

“Our research shows that organisations deal begrudgingly with compliance requirements. Often companies feel the cost of compliance will outweigh the benefits.  This is typically the result of organisations following a check list approach to compliance, rather than a risk management assessment of what is relevant to their business.  However, we are working with organisations that are addressing DLP from a risk management perspective, where they wish to understand their current maturity and their actual exposure through health assessments”

“This research illustrates an awareness of data leakage from the loss or theft of a laptop computer, and also a strong desire to investigate broader DLP strategies more holistically.  DLP is a problematical area within organizations, as it requires architectural considerations to address multiple points where information is leaked.  Companies need a mature DLP program to govern those multiple points of either accidental or intentional loss – such as the mobile workforce or portable storage devices - and then govern their data usage, protect their gateways, and implement an effective program to deal with data in motion.”

IDC EMEA program manager Europe, Eric Domage, explains that DLP does not offer a simple packaged solution, and said that “DLP efforts must be adapted to specific business needs and based on detailed risk assessment exercises that examine all forms of data flow (data in use, data in motion, and data at rest) in order to identify and eliminate all data loss vectors and create an unbreakable chain of security links.”

“DLP does not offer a simple packaged solution,” explained Eric Domage, IDC EMEA program manager, European security products and strategies. “DLP efforts must be adapted to specific business needs and based on detailed risk assessment exercises that examine all forms of data flow (data in use, data in motion, and data at rest) in order to identify and eliminate all data loss vectors and create an unbreakable chain of security links.”