For many Canadian businesses, implementing information security is a bit like quitting smoking – everyone knows they should do it, but few can find the resources or willpower, according to a new book.
Aimed at business types who need a primer on e-protection, Security Transformation: Digital Defense Strategies to Protect Your Company’s Reputation and Market Share, was authored by Mary Pat McCarthy and Stuart Campbell, senior executives with consulting firm KPMG LLP.
Combining tips, tales and interviews with a number of security experts, the book encourages managers to view data protection as a strategic business issue, rather than a purely technical question.
“We were concerned about the lack of awareness, and how little attention was being paid to e-business and broader Internet security by top management, especially in light of the increasing exposures that are being reported,” said Bob Widdowson, a Toronto-based partner for information risk management (IRM) with KPMG.
Since absolute security is virtually impossible, Widdowson believes that managers need to balance their appetite for risk with their available resources and make some tough business decisions.
“I would say that in the past the focus of security has been on prevention and it’s been viewed as a project that people feel is like a headache or smoking – you fix it and it goes away. Maybe the initial [security] infraction or incident can be fixed by money, but the on-going prevention and mitigation of risk to an acceptable level is not going to go away.”
There are several areas of e-business where emerging technology is introducing “major security concerns”, according to Francis Beaudoin, a senior manager with KPMG’s IRM practice. These areas include wireless networks and business-to-business connections like supply-chain arrangements, he said.
“[Many] organizations are now linking their networks to the other companies that they are trading with. When you do that, you have to understand and realize that you are opening your network to a partner that may not be as secured as you think – you have to look more at the transaction than jus the technology or just network,” said Beaudoin.
Changing the corporate culture around information security, especially the disconnect between techies and MBAs, presents a daunting challenge, but recent high-profile exposures like the Code Red worm move perceptions in the right direction, said Widdowson.
“There’s nothing like a security incident to heighten awareness – it would be nice to have another Year 2000 to get things moving,” he added.
KPMG Canada is at http://www.kpmg.ca