|The short- and long-term effects of inadequate IT security|
In the third of our articles on IT Security Management with LeanIX Survey, we'll examine the great impact of digitization on IT security at a company. When customers become digital customers, for example, this means that sensitive customer data is transferred into online systems which require special protection. Furthermore, companies are expected to become increasingly “open”. As a result of new work concepts such as a home office, mobile computing and “Bring Your Own Device (BYOD)”, access to company data is provided on end devices whose security aspects are increasingly difficult for the company to control. Additionally, cross-company supply chains are leading to much closer networking with customers and business partners in the course of Industry 4.0 in a wide range of business processes (acquisition, production, sales, logistics). But this also means that the customers and suppliers are partially responsible for the protection of these systems. This makes professional IT security management all the more important.
The case for IT securityIt is often difficult for company managers to assess the risk of inadequate IT security. Frequently the extent and probability of a potential security incident are hard to quantify. The short- and long-term negative effects of insufficient IT security may be severe, however, and not always immediately apparent. In addition to the obvious damages, such as lost revenue or the employment of expensive outside experts, IT security also has indirect consequences. This could include a lack of innovative potential in IT, if the department is constantly busy putting out IT security fires.
Three elements for lasting IT security
Technical measures and solutionsFirst, IT security management is concerned with ensuring that all technical possibilities to maintain IT security are utilized (anti-virus protection, malware protection, password protection, intrusion detection) and that these systems are always up to date with the latest technology (regular updates). Successful companies utilize monitoring and reporting systems that use a preferably automated process to recognize potential gaps and then take countermeasures independently and proactively. “Intrusion detection” can then turn into “intrusion prevention”, for example, to minimize expensive manual interventions.
Organizational measures and solutionsThe organizational measures and solutions initially include the definition of the data which has a certain relevance to security. This includes particularly security-relevant data such as personal information (customers, employees, business partners) or sensitive company data (contracts, offers, strategies, patents, business variables, etc.). Additionally, processes have to be developed and executed for this security-relevant data in order to optimally ensure their protection. And lastly, of course, the responsibilities for the compliance with these processes have to be determined and documented with regular training sessions.
Fulfilling external specifications
In order to standardize the procedures for the measures and processes, a number of IT security standards have been developed in practice which are universally valid by now. Most relevant for German companies is the IT baseline protection (IT-GS) by the German Federal Office for Information Security (FSI). On an international level, the two ISO norms ISO/IEC 27001 and ISO/IEC 27002 are certainly the most important ones. In order to satisfy these IT security standards, companies must be capable of quickly referring to updated, precise and complete data about their own IT security.
In the next post in this series of articles we will discover how LeanIX Survey offers an EA-driven approach to the management of IT security. If you want to find out for yourself how the LeanIX Survey Add-on can streamline your IT security management amongst other use cases, why not try out LeanIX for free?