Businesses need to consider the security of their suppliers and other partners in their risk mitigation strategy, and not just look at their own networks.
That’s the view of Ashley Jelleyman, head of information assurance at BT, speaking at Computing’s IT Leaders’ Forum event in London this morning.
“Information risks can span shared infrastructures and supply chains. Security heads need to get involved in whole process,” said Jelleyman.
He explained that the threats from insiders is now well known, but the risk is not necessarily limited to direct employees, but other insiders in the corporate ecosystem.
“We see malicious insider attacks – like the disgruntled employee,” said Jelleyman. “It may not be an attack that comes from outside.
The insider world has grown, and we now share access to our systems with our vendors, third parties and customers, so those outsiders become insiders we’re allowing in.
“Every one of those people we allow in is a potential insider threat we may not have mitigated against in the past.”
He added that with the “threatscape” continually evolving, firms today often need to increase their security investment just to gain the same level of protection enjoyed in the past – not something any CEO or CFO is going to swallow easily.
“Threats and risks are evolving. Risk assessments may be one-off, but it needs to be a continual process. What worked yesterday may not work for us tomorrow. We need to make the board aware that we’re spending more money just to stand still, because the game moves faster than we can.”
And on the subject of upwards communication, Jelleyman argued that boards need to understand how important the information a company holds really is, as the level of protection provided at many firms isn’t adequate.
“What’s the information worth, how much will it cost to protect, and what’s the payoff of securing it? Get it wrong and you will over- or underpay for your protection.
The board needs to understand that you are spending their money wisely,” he said.
Jelleyman added: “Every board will have a risk appetite, but you might need to help them understand what that is. What are you prepared to take as an annual hit on information risk? What’s that risk threshold? Then balance the security risk against the business needs. Look at it qualitatively and quantitatively, then present prioritised information risks and associated recommendations on which business decisions can be made.
“Translate the message into the board’s language, not ‘IT-speak’,” he argued.