3 critical things every business leader should know about security

There isn’t a day without some form of security breach reported on the news and a company or organisation being fined, losing customers, suffering reputational damage etc. Its rare for a week to pass without the Information Commissioner reporting a judgement against organisations for data misuse and, globally, research shows the cost caused by security breaches is steadily increasing.

To combat this, and ensure that your organisation has the best possible chances of falling foul, there are three key points that every business leader, at every level should be fully aware of. This is just as valid for the CEO of a multinational corporation as it is for the small business owner.

1. Security is everyone’s business but the responsibility lies at the very top.

Security is important. It is the vital cog that ensures your business is still viable (and in some cases still present) in an hour, a day, a week, month or year. Without security your organisation will fail.

This may seem harsh and doom-mongering, but it is sadly, very true. If you do not take security seriously, your stock will be stolen, your assets plundered and your intellectual property stolen. Your competitors will gain advantages over you and your customers wont trust you.

You need to take security seriously.

You do this, by realising how important it is and ensuring that security (physical security, information security, personnel, loss prevention, whatever your business calls it) is represented at the highest level. By appointing a Chief Security Officer (CSO, again, this can have many names, such as CISO, but its the role that matters more) who directly reports to you, you ensure that security matters will have suitable treatment within your organisation.

If you are the CEO of a big company, is your head of security a board member? If not, you dont take security seriously and other business functions will steadily push security out of the door. This will continue until you suffer unacceptable losses and are forced to spend significantly more to rectify the situation.

Dont fall into this trap – be proactive and take security seriously.

2. Security is NEVER perfect.

Hot on the heels of taking security seriously to keep your business afloat, you have to realise early on that nothing you do will give you 100% security and anyone who promises you that their product or services will offer something even close to this should be avoided.

A painful fact is that you are protecting your organisation and its assets against an unimaginably large number of threat actors, who come with varying levels of skill and are able to probe your defences 24 hours a day, 7 days a week.

Risk management is the crux of security. The most important thing your CSO/CISO (whatever) can do for you is determine what security risks your organisation faces and how your business is best placed to address them. You should normally expect your CSO to chair your organisations Risk Management Board as he/she is best placed to make the decisions about your organisations risk appetite.

Remember every opportunity has risks and frequently risks present opportunities. By having security represented at the highest level in your organisation, you can ensure that security risks are always managed in line with your current business objectives and strategies.

3. Security never stands still.

The next frequent cause of misunderstanding is the unfortunate fact that security is a constantly evolving process. Criminals, including terrorists and thieves, as well as the “curious” cyber hackers are constantly looking for ways to circumvent security controls. Once they find a route through, this information is usually widely propagated forcing everyone to review and enhance their security controls which, in turn, restarts the cycle.

Good news is that this threat-compromise cycle is faster in some areas than others, but it does exist everywhere. Experienced criminals are able to bypass complicated door locking systems that would have been impassable 15 years ago but on the whole, locks are still an effective deterrent – however on the internet, sometimes even high-end security controls can be compromised in a matter of months.

This is not suggesting despair and it is not a reason to avoid implementing any security controls. When electronic tags and CCTV became widespread in shops, shoplifters learned how to bypass the controls and thefts resumed, however in places where there is no CCTV or tags, shoplifting takes place on a much, much larger scale.

Here the key point is that you must be prepared to view security as constantly evolving task for your organisation. Never implement a security control then leave it. It needs to be constantly monitored for effectiveness and when the criminals learn to bypass it, you must act swiftly to re-establish your security.

The hard part is remembering that the threats never sleep, so you can never afford to turn your back on your security.

Security Leadership.

If you understand and can implement these three critical things, then you can be reasonably confident that your organisations approach to security is significantly greater than the majority of your competition.

For more advice on how you can improve your security, or an informal chat on what steps your organisation needs to carry out, get in touch with our security consultants who will be more than pleased to help you.

Taz Wake - Halkyn Security

Certified Information Systems Security Professional with over 19 years experience providing in-depth security risk management advice to government and private sector organisations. Experienced in assessing risks, and producing mitigation plans, worldwide in both peaceful areas and war zones. Additionally, direct experience carrying out investigations into security lapses, producing evidential standard reports and conducting detailed interviews to ascertain the details of the incident. Has a detailed understanding of the Security Policy Framework (SPF) and JSP440, as well as in depth expertise in producing cost-effective solutions in accordance with legislative and regulatory guidelines. Experienced in accrediting establishments and networks as well as project managing the development of secure, compliant, workable business processes.