Gartner: Security Policy Should Factor in Business Risks
Understanding the business risk posed due to security threats is crucial for IT managers and security officers, two analysts have claimed.
Addressing a media roundtable in Sydney at the Gartner Symposium, Andrew Walls and Rob McMillan said CIOs and CSOs must be abreast of their organisations' overarching business goals when defining policy around cyber security.
"The issue is part of its staff development and who you hire," Walls said. " ... If you don't train them in what your business does, they will never be able to anticipate the next move."
Former co-founder of AusCERT, McMillan agreed that a broader outlook needed to be taken by security managers and IT departments.
"One of the challenges is helping the folks underlying the business," he said. "Security managers need to take a look at security in the broader sense of the business."
Walls said that as well as looking at security as an integral business function, security concerns around social media must be addressed in the same way.
"The issue of social media is not a decision that the CIO or security officer should be involved in," Walls said. "It's a business issue."
Walls went on to say that social media "isn't an IT question", but rather a question of communication; a statement that echoes the sentiments of a group of CIOs at this year's CIO Summit who collectively agreed that the development of a social media policy isn't all about IT.
McMillan said while security officers are often competing with a number of other business functions, putting themselves in the shoes of a business owner was vital if security is to be viewed as a relevant issue.
"In that conversation you want to be able to anticipate the needs of the CIO," he said. "You've got to be able to show how the security activities you're undertaking are reinforcing the goals of the business."
The analysts' insights come as Gartner recently released a report that suggested CIOs should engage with social media rather than block sites that are seen as too much of a security risk.