In an increasingly regulated world, all companies today have to take a long hard look at the way information resides within their organisations, who has access to it, and more importantly, whether it leaves them open to operational and security risks.
These concerns are underpinned by, among others, the King III report on good corporate governance, which focuses in detail on IT governance in the context of risk management.
The report states that confidentiality, integrity and availability of business networks are essential components of good governance, and safeguard the authorised use, access, disclosure and changes to the information residing in information systems.
Says Jayson O’ Reilly, director: Sales & Innovation at DRS, “Business today is all about taking risks, being bolder than your competitors and to tread new paths that lead to greater financial gains. However, these variables are underpinned by the principles of information security, because with greater success, companies also often become the targets of malicious attacks from within and outside their organisations.”
He says IT executives within organisations need to take the responsibility square on to reduce the overall risks to business.
“This requires a thorough understanding of risk and compliance at any point in time, and this can be challenging because you cannot manage what you cannot see. Visibility into risk begins with knowing your business data and making sense of your operational data.
“Before companies can properly assess their internal and external risks, they must know where the business critical data resides, which processes already support and manage it, what other IT processes tie into the data resources and who has access to these resources,” he adds.
O’ Reilly says to address this, IT must put proper risk management strategies in place, such as security policies and controls on how information is managed throughout its life cycle – how it is captured, processed, used, stored and discarded.
“There are a number of risk and compliance security products available that allows organisations to do just that. They provide visibility, control and mitigation to the ever-changing threat and compliance landscape and are tailored to the mission of the organisation and the role of the system within the organisation as it supports the mission.
“These processes must then be refined, not through check-box compliance, but through actionable risk management programmes, such as risk analysis, security information event management and vulnerability scanning that address IT security as a business risk.”
While risk management programs are daunting in scope, man-hours and complexity, with these safeguards in place, O’ Reilly says, it ultimately increases business confidence in the role of IT in an organisation, as it brings real value to the business bottom line.
“Companies today recognise that they have must adequate visibility into their organisations to assess risk, vulnerabilities, compliance and security. With the right tools, organisations can save enormous costs by supporting audits, prioritising software patches, and assessing individual and organisational risk.
“More importantly, increased visibility into an organisation can provide early detection of possible catastrophic damage and supply actionable information and preventative controls to protect an organisation’s most important asset. Information security is the driver for good governance, and the ability to report on organisational risks and to manage these transparently is key to this,” he concludes.