Bugwatch: Managing your users

This week Ray Stanton, director of UK security practices at Unisys, argues the case for the management of users and greater security over user data as the best way to control business threats.

IT managers are ignoring a fundamental part of their IT security by blindly installing the latest systems in the belief that such technology will protect their business.

Technology alone will not solve the problem. Managers are lulled into a false sense of confidence if they think the latest firewall or intrusion prevention system alone will protect their data, business and employees.

Devices and tools such as virtual private networks, antivirus and vulnerability assessments are important components of a modern security strategy. But these are additional layers of security, and a waste of time without intelligent management of the people and processes within the organisation.

Effective management of users and greater security over user data is the only way to increase control over business threats and put a stop to the attacks that are waiting to happen.

What managers must remember is that it is not a matter of 'if' attacks will happen, but 'when' and 'how'. And how companies prepare for such threats is critical.

Managing internal systems is a security headache for most IT managers today, with companies under pressure to comply with industry standards and regulations for secure business.

Guides such as the International Standards Organisation 17799, the Information Security Forums Standard of Good Practice, and countless Request for Comments, offer companies a helping hand to identify and implement internal security controls.

To adhere to corporate governance such as Sarbanes-Oxley Act and Basel II, corporations are slowing recognising that no security policy or process management plan will work unless it is communicated and sponsored by the right business community.

Security managers must stop thinking of themselves as just security professionals. In reality they need to be business managers with a security bias, responsible for managing the people and processes within the organisation.

They must address the three critical components for success: visibility, sponsorship and relationships.

Visibility is critical to the success of any business programme - and security is just another business programme.

But security can be undermined by the complexities and interdependencies of organisations. If a security programme has good visibility to an organisation about what it is trying to achieve, then both the business sponsors and staff will support it.

Lets take antivirus as an example. The business may recognise the need for it, but if staff cannot clearly see its usefulness they will continue to do the same things they have always done.

Such behaviour will not help reduce the risk to the organisation; this level of security can only be achieved by changing the users' habits (such as not clicking on suspicious email attachments).

Businesses must ensure that relationships with organisations and other third parties are founded on the same security standards. In the financial sector, for example, online banking groups are aggregating client accounts to make it easier for them to access their details through one banking portal.

Banks must try to reduce risk by working with well-established organisations to ensure their security meets the standards.

From board level to network administration, human resources to legal, each member of a company provides a unique contribution to any security policy.

By building and maintaining relationships and sponsorships so that organisations recognise the value and vision of the security programme, companies can ultimately support and enhance its effectiveness.

Industry standards and government regulation are getting stricter and potential security threats to the corporate environment are becoming much more sophisticated.

Unless IT managers act now to put people and processes at the heart of their IT security, they are waiting for a security disaster. Remember: failure to plan equals planning to fail.