Garry Sidaway, SVP security strategy & alliances, NTT Security
Garry Sidaway, SVP security strategy & alliances, NTT Security

New technologies, new ways of working, and growing volumes of data are putting increasing pressure on IT departments. And with security threats continuing to mount, organisations must look to invest in core safeguards to protect key assets. 

However, a cyber-security vendor gold rush has ensued, and IT departments and business leaders are struggling to make sense of the overwhelming number of solutions when it comes to deciding what to buy and how best to protect the company's assets.

And understandably so. Regular high-profile breaches have meant that cyber-security is rarely out of the spotlight, and vendors are launching new products to address this challenge. This makes it hard for CISOs to navigate what's available, and for the less technically-minded to make sense of the jargon, acronyms, and governance requirements.

This view of complexity is supported by Frost & Sullivan's Global Information Security Workforce Study (GISWS), which indicates that two thirds of respondents are concerned about security sprawl.

So how do organisations cut through the complexity and confusion and make the right decision when choosing how and when to spend budget on new security technologies?

Jargon is just jargon

Firstly, the latest terminology and buzzwords should have no impact on a well-planned and well- executed information security and risk management programme. Careful planning and placing trust in a programme will keep businesses focused and reduce the likelihood of being distracted by the next big thing. Rather than following trends and hype, they should be looking at what to do with their existing policies, processes and technologies to understand where their real risks are.

Make cyber-security a business issue

Many organisations tend to see security as a technology issue rather than a business one. As a result, the right questions are often not asked about cyber-security defences. Effectively managing risk means having the right governance in place with appropriate supporting processes and the right enabling technology. It should never start with the technology. 

The common misconception is that, by investing in best-in-class technology, organisations will be safe. But, while it's important to integrate security technology into a company's IT architecture, it will only be effective if end users understand their personal responsibilities for keeping the systems safe and to embed these principles into the overall business. And that requires changing the culture of the organisation and educating employees, rather than spending money on yet another tool. Technology alone will not reduce the business risk.  

Assess risk exposure

An important step towards de-mystifying security and protecting an organisation against potential threats is to fully understand the risk exposure across all areas of the business. There is a growing global shortage of cyber-security skills so, if there are in-house skills lacking, organisations should take expert advice from a trusted third party and consider a comprehensive evaluation of the company. This will highlight areas of risk, provide recommendations, prioritise actions, and help them build a strategic road map for continuous risk management.

A full assessment would also detail gaps in a company's IT security armour, outline the risks associated with a contractor workforce, and highlight the critical areas that need immediate attention. An evaluation summary will also provide businesses with a timeline for carrying out any remedial action required. No two organisations are the same and information security is never done. It's a continuous cycle to support on-going improvements. And the start point very much depends on where a business sits in terms of security maturity.

Security needn't be complex

There's never been more choice in security technology and, while this clearly benefits the industry as a whole, organisations need to avoid unnecessary complexity and take a more focused approach to cyber-resilience. Technology alone won't resolve a skills shortage, ransomware requires education and awareness, and platforms must be comprehensive and managed effectively to benefit the organisation. Too often technology is seen as the panacea but, if organisations make ill-advised choices and don't take enough care with configuration and management, it's not the business enabler that it should be.

Finally, a growing number of organisations acknowledge that some things are best left to the experts. Continuing to make ill-informed decisions and therefore increasing the level of complexity around data security is not sustainable. What's needed is sound, sensible advice from organisations that can be trusted to listen to their specific challenges and create the optimum solution to suit their business, and the resources they have available.

Contributed by Garry Sidaway, SVP security strategy & alliances, NTT Security