TORONTO — Embedding and automating risk practices into the business may change the perception that these controls are impediments to business, Microsoft Canada’s new chief security advisor told the InfoSecurity Canada conference Wednesday.
Actually, the hope and expectation of top-level executives is to embed Sarbanes-Oxley (SOX) practices and other such controls into the business in order to reap a significant return on investment, said Mary Kirwan, a former security consultant who recently joined Mississauga, Ont.-based Microsoft Canada.
“Security is perceived as a fortress, as an impediment to doing business,” she said, adding that organizations can then free up time to focus on other matters.
Organizations tend to view security as a roadblock to business because “it’s not necessarily a revenue driver,” said Darin Stahl, lead analyst with London, Ont.-based Info-Tech Research Group.
Generally, he added, investment in security is presented, from IT or security, as “something that must be done, otherwise bad things will happen.”
But IT has a role to play, said Kirwan, because by improving corporate data handling practices and driving efficiency through such automated controls, IT will become a business enabler as opposed to just a provider of technical support.
It’s no longer acceptable, she said, for CIOs to “put out fires and do run of the mill stuff” – instead they need to get more value out of their IT assets.
With ever-evolving technology and tools, said Kirwan, “we’ve got to use these assets strategically. My hope is, over time, management will go back to basics and see IT as something that adds a great deal of value.”
Stahl agrees that this is the intended goal, however, in mid to large-sized companies, the security team is often situated outside the IT department. “That organization—in terms of staffing, focused responsibilities and lines of reporting—is probably the largest contributor to this issue.”
In attempting to streamline processes, said Kirwan, an organization should recognize they can’t fix all problems, and should really focus their expenditures and attention on high-risk areas.
In addition, they should create “a framework of controls”, so that new legislation can be easily mapped to the existing structure.
Dahl said there exists software that allows more automation and process focus across what has traditionally been discrete points.
He notes that although IT may operate security solutions within an organization, performing risk mitigation – setting and enforcing policies – belongs to the business owners.