Managing information risk: ISACA chair on how to combat modern security threats

Data is now the lifeblood of the modern organisation, be they a public sector service or a private sector corporation. But with the tech landscape altering so significantly at present, this data is being put under unprecedented strain, forcing execs and security officers to manage information risk more smartly than ever before.

These issues will be tackled head on at today's Economist Intelligence Unit information risk webinar, and ahead of his appearance at the event, Amar Singh, Chairman of ISACA London's Security Advisory Group and CISO at News International SC tells us how organisations need to handle the threats associated with information sharing, cloud computing, BYOD policies, and more.

There are a whole host of threats and trends that are putting corporate information at risk, but what do you identify as the chief danger to enterprise data at present?

Over-sharing poses a significant risk to an organisation. Given the ever increasing uptake of smartphones, tablets and similar connected devices (making up the Internet of Things) the over-sharing danger is only going to increase the risk exposure.

Related to the above, the employee remains a key area mainly through lack of awareness. It's about time organisations stop looking at awareness as simply sitting through a boring click and submit exercise. Rather, start by teaching employees how to protect their own personal cyber-space, their personal LinkedIn and Facebook accounts for example.

An employee who knows how to protect him or herself will automatically be better at applying the same measures and controls to his corporate cyber-space.

How has the growth of BYOD changed the risk management landscape?

BYOD or as I call it, BAYD (bring all your devices) is continuing to increase the attack vector and attack surface and is consequently affecting the overall risk exposure of the organisation.

The BAYD issue is significantly impacting the risk of data loss. Where earlier organisations had to manage local network file shares today that same data could be on multiple smart devices.

Is the trend of consumerisation ultimately at odds with secure device management in the workplace?

I believe that technology does exist - and is continuing to evolve - that will allow the oxymoron of a securely managed consumerised device to exist.

For example technologies such as containerisation already allow a secured and managed environment within a regular consumer device.

With more and more organisations throwing data into the cloud, are we really in control of our sensitive records?

No is the straightforward answer. Regardless of the actual context of the word control the fact is that unless and until your data is encrypted and the keys to the encryption are in your physical possession, your data in the cloud will always be easily accessible to external entities.

How should organisations go about prioritising the protection of certain data?

My approach would be to start with the people. Most organisations, regardless of process maturity, know that key functions like HR, legal and commercial tend to handle some of the most sensitive data.

Additionally, think about personal assistants of CFO, CEO and other key executives. Often these PAs know the passwords of their managers and hence have access to the same critical data set. Talk to the people in these departments and invite them to join you on the journey. Explain to them the risks and the impacts to the business of losing the data.

Needless to say, insist on a classification structure for the data

Can the big data explosion actually aid an organisation’s security policy?

Big data to the business should translate to something like Business Information Analystics. Simply put, big data has a huge contribution to make in every function of the business.

And 'yes' is the answer to this question. I see big data type technologies helping organisations in the better and effective management of policies.

Act now: Register today for the Economist Intelligence Unit information risk webinar.

All data derived from: "Information Risk in a Changing Technology Landscape," The Economist Intelligence Unit, November 2013