Why the status of IT security is changing within Australian businesses

23 February 2022 Consultancy.com.au

In most organisations, cybersecurity strategies tend to take a technology-led approach. But with changing expectations and more possibilities arising from new smart technology, the status of IT security is evolving, writes Sash Vasilevski, a Principal at boutique information security consultancy Security Centric.

Traditionally, IT teams have chosen what they consider to be the most appropriate tools and deployed them across their infrastructures. Now, in 2022, this is changing. Rather than being treated as just another item that an IT team needs to worry about, IT security is increasingly being treated as its own dedicated area.

This shift in thinking will allow clearer links to be established between cybersecurity risks and business objectives. This, in turn, will help to ensure that sufficient resources are allocated to the task and that the levels of risk being faced are in line with business expectations.

Why the status of IT security is changing within Australian businesses

Ensuring effective alignment
Achieving an alignment between risk and business expectations requires a number of steps. Each builds on the other and ensures that the IT security measures that are in place are the most appropriate for the organisation. The required steps include:

An initial review: The first step is to carefully review all the components that, together, create the organisation’s IT infrastructure. This includes everything from applications and databases to servers, networks, and client devices.

Check data flows: The next step is to review how data is transmitted, both within the business and externally. This is important to help understand where any weaknesses might exist that need to be addressed.

Examine cloud resources: As businesses increasingly make use of cloud-based resources, it’s important to remember that the job of securing those resources is not left to the cloud provider. Review all usage of the cloud and ensure that appropriate layers of security have been put in place.

Determine acceptable levels of risk: Regardless of how much is spent and which security measures are implemented, there will still be a level of risk that remains. For this reason, it’s important to determine what level the business finds acceptable and whether this is the level that currently exists.

Manage that risk: Once the level of risk is understood, a strategy for its management can be developed. The security team can work to avoid risks, accept some risks, mitigate risks, or transfer risks. This might be achieved by engaging an external specialist to manage security tools and other measures.

Conduct what-if scenarios: Once acceptable levels of risk have been identified, and measures put in place to maintain them, it’s time to run some what-if scenarios. This involves considering what the impact would be on the business if a particular event occurred. These events could include ransomware attacks, data theft, or malicious activity conducted by an insider.

Security is now a board-level issue

As increasing numbers of businesses realise they need to be treating security separately from their overall IT activities, many are making it a board-level issue. The board needs to understand the risks being faced, the measures that have been put in place to mitigate those risks, and what may occur if an attack was successful.

Having board-level attention is particularly important at a time when many organisations continue to have large numbers of staff working from home. This changes the game when it comes to achieving effective security and senior management need to be fully informed about what is required.

Senior management also have a key role to play when it comes to user education and attitudes. If the importance of adopting safe work procedures is communicated from the top, staff are more likely to take it seriously and comply. As a result, staff will be less likely to fall for phishing attacks or infect their devices with malicious code. This, in turn, reduces the likelihood that serious disruptions will be experienced.

The challenge of maintaining robust IT security is a job that is never truly complete. However, through constant review and adjustment, security infrastructures can provide the levels of protection that growing businesses require.