Asia the best place…

Posted By asiagender.net on May 17, 2010

Security is defined as the condition of being protected against danger or loss. In the Internet Age, information security has become just as valuable and important as is the physical aspects of safety.

Security remains top of mind among security business and technology executives. But how does this trickle down to users and their managers?

Enterprise Innovation conducted a survey of readers to determine the extent to which users are familiar with tools, policies and processes as it relates to security in the enterprise.

How many IT staff do you have dedicated to security?

Among 316 respondents to the survey, about 60% have a small team of between one to five persons within their IT organization to look after the security of their infrastructure. Almost 28 percent claim to have a larger team dedicated to security. Twelve percent do not have a dedicated security staff in their IT organization.

"Except for the very large organizations that truly have a dedicated security team, most so-called security experts in IT organizations actually perform several jobs, security being one of them," said Henry Ng, Professional Services Manager, Asia, Verizon Business. "Compared to the US, there are very few companies in Asia where a Chief Information Security Officer or CISO is employed to oversee the security initiatives of the company. In the organizations where such a role exists, the CISO often reports directly to the CEO rather than the CIO."

Do you struggle to consistently measure security across your enterprise?

Over 51 percent admit that they lack the ability to adequately measure security across the enterprise. Add to this the 24.6 percent of respondents who are uncertain as to how to measure security and you have a population of 75.6 percent of respondents who struggle with measuring security.

This suggests lack of internal awareness of the tools, policies and best practices to enable accurate measurement, and also implies the inability to justify further investments in security beyond basic security tools like anti-virus software, intrusion detection and intrusion prevention solutions.

How do you measure security? Some point solution vendors measure this by the number of incidents that are tracked and/or stopped at the door.

Ng says that his team is often invited to meet customers to solve specific security problems. "When it comes to security, most organizations act in response to specific events. Only a few, and mostly those from very large enterprises headquartered in the US or Europe, have a security strategy beyond the basics," Ng adds.

Can you effectively demonstrate risk reduction and an improved security posture?

The simplest way to demonstrate risk reduction is by keeping your anti-virus software updated. Most corporate users have this process automated for them by IT. As soon as a user logs in to the network, the client anti-virus software scans the server for any updates. Surprisingly only 38.6 percent of respondents claim to be able to demonstrate this posture.

Andrew Walls, Research Director on Security, Risk & Privacy at Gartner, says the only way to demonstrate risk reduction and security performance is to have an effective Security Information and Event Management (SIEM) program.

Gartner research has identified strong benefits in the level of security assurance and the containment of security costs produced through a well-managed SIEM program.

Walls warns that the metrics must be driven by business priorities with the raw metrics (gathered from technical security systems and processes) analyzed and translated into business terminology.

Do you need assistance or support for internal or external audits?

A little over 41 percent believe they need assistance with regards to internal or external audits. Over 42 percent claim they don't need support while almost 15 percent remain uncertain.

On the subject of international standards for information security, Walls notes that Asia tends to be less transparent concerning policies, processes and standards. "The tendency of Asian organizations to avoid exposing internal security practices in public setting leads to some conflicts when western organizations seek to perform security risk assessments and compliance audits. The lack of transparency is often interpreted as a lack of security enforcement within the organization which can lead to adverse audits," he adds.

Do you have to adhere to standards such as Payment Card Data Security Standard, ISO 27001 or others?

Only 20.

Pages: 1 2 3 4

Categories: Asia
Tags: