Opinion

It's time to rethink how IT security is managed

5 min read

10 July 2013

New challenges mean that businesses need to take another look at how they manage IT security, suggests Kris Hagerman, CEO of Sophos.

For the average British company, IT security is a headache.

First, there’s the direct threat posed to the company’s data, IP and reputation. A recent report from the National Audit Office revealed that cyber crime has already cost UK industry billions of pounds, while our threat research labs at Sophos identify over 250,000 new pieces of malicious code every single day, many designed to steal data and finances or provide backdoor access to company systems. 

But in addition, there are the demands of managing this threat. The money, time and resources consumed by getting adequate protection in place and keeping it up to date mean that the process of security itself can become a real distraction, and have a real (and negative) impact on the bottom line.

In fact, security management has many UK enterprises running scared — with small, over-worked IT departments forced to spend a disproportionate amount of effort ‘babysitting’ complex security systems.

The IT department should be a company’s secret competitive weapon, driving innovation and growth through the application of new technologies. But because data security has become such a high profile issue, manpower and budget are often diverted towards what is essentially a fire-fighting activity. But is this really the best place to focus IT talent and spend?

I would say definitely not – especially in the current economic climate, anything that hamstrings a company’s ability to innovate and be competitive needs to be urgently reassessed.

As the volume and complexity of threats increase, and the number of user devices to be protected multiplies, I believe that the traditional way in which security is practiced in many UK enterprises has become a significant ‘drag factor’ on business growth, slowing innovation down rather than supporting it. It’s time to change the model and re-think how security is implemented and managed.

Some companies are already doing this. There is an emerging breed of pragmatic enterprises which, by necessity, have discovered that complex issues don’t always require complex solutions – and in fact, in many cases complex solutions aren’t solutions at all. Similarly, when it comes to IT security, good security shouldn’t have to require the undivided attention of the IT team to make it work.

For example, unified threat management (UTM) appliances have matured to the point where it’s possible to cover all the essential bases of a solid security policy – from anti-virus and spam protection to web filtering and wireless security – with just a single box. While the traditional ‘best-of-breed’ philosophy has resulted in IT departments being forced to integrate and manage multiple complex security products, the pragmatic enterprise has recognised that, in a broad set of environments, UTM is a better answer because it is actually fully used and implemented, not sitting on a shelf while someone tries to understand how it works.

Another development for the pragmatic enterprise to consider is cloud-based security-as-a-service, where the management of the security process is handled remotely by a specialist MSP (managed security provider). This can also offer the advantage of flexible licensing, where companies pay for the exact amount of services they’re using without tying capital up in under-utilised hardware and software.

Lastly, the explosion of mobile devices (tablets, smartphones, etc.) coupled with more and more mobile malware everyday leaves IT organizations with gaping holes in their security posture, and for no reason. With user-centric security models, one simple policy can move with the user, regardless of which device (PC, Mac, tablet or smartphone) they have in their hands at the time.

For businesses that don’t have the desire to build mini armies of dedicated IT security staff, why make things more complicated than they need to be? IT should drive innovation and growth, not be trapped in a Sisyphean cycle of its own making. Pragmatic security means not only delivering comprehensive protection, it’s also about freeing up a company’s most valuable resource: its people’s brains – and talent – and time.

Kris Hagerman is CEO of IT security firm Sophos.

Image source