For Indigo Books and Music, IT security is about aligning security strategies with corporate goals and objectives, and the bookseller has urged companies to follow this example.
Indigo’s security spending is based on its impact to the overall business model, assessing risks from a business perspective, instead of a technology perspective, said Ricky Mehra, director of IT security and internal controls for Indigo. Mehra was at a recent online security roundtable hosted by Microsoft Canada.
“Our security investments are strategic in nature,” he said, adding that Indigo looks at its security investments and determines how it will fit the company’s business model five years down the line.
As an online company doing millions of dollars worth of transactions, Indigo exercises prudence in applying global security for its business, Mehra said.
To keep its customers’ trust and its business competitive, Indigo has invested considerably in a “defence in depth” security framework, said Mehra, which includes technical controls like firewalls, password control mechanisms and intrusion detection devices. It has also devoted resources to establishing internal policies such as who gets access to what information, and user awareness and training to better secure its online business and corporate network.
Stephen Lawson, vice-president of technology with Fox Group Consulting in Mount Albert, Ont., said companies should take a page from Indigo’s approach to IT security. “A lot of people have the misconception that [security] is an option [but] it is really about the implementation of…policies,” said Lawson.
While many organizations like Indigo use a “defence in depth” framework, there are still companies that believe installing a piece of technology will do for IT security. But technology is only one piece of the puzzle, Lawson said. It is important for the business side to first create security policies, then look into technology to enforce those policies, he added.
Implementing IT security policy as part of the corporate agenda is becoming more important in view of increasing government regulations.
With compliance becoming more of an issue, security executives are citing compliance to prove return on investment, said Steve Lloyd, Microsoft Canada’s chief security advisor. “To convince the higher ranks that security is worth investing in, talk about compliance and the penalties that will be levied if you don’t comply,” he said.