The mindset of management can be the biggest obstacle to a secure IT environment and a strong security and risk management posture.

So says Marthinus Engelbrecht from NEWORDER Industries, a local technology company that provides specialised enterprise risk management, IT security, virtualisation and storage solutions and services to companies in Africa.

“The impact of security and confidentiality breaches can be devastating for an organisation. And, it’s not just the finances at stake. Aside from the costs associated with resolving a security incident, especially if it leads to litigation, and the financial burden of fraud, other factors can severely damage an organisation’s ability to operate or damage its reputation beyond recovery.

“King III also makes company directors and managers personally accountable for losses and confidentiality breaches that occur as a result of their failure to have adequate security mechanisms in place to mitigate IT-related theft and fraud.

“So, it would seem logical that management in any business would understand that building a secure organisation is important to business continuity, long-term success and sustainability. Unfortunately, in many organisations, IT security is still seen as an IT issue and not a business one.

“Often it is it considered a drain on the bottom line, a grudge purchase similar to insurance because it’s difficult to measure return on investment, which company directors expect to see unless there’s a breach and the company’s intellectual property, finances or reputation come under threat.

“There’s also the common mindset is that if there are firewalls, intrusion detection systems and antivirus programmes in place, IT security is taken care of. This is a naive approach that leaves a company, its systems and data as vulnerable as if there were no interventions in place.

“IT security is not just software or hardware. It is a process and there is no tool that you can set and forget. The strength and effectiveness of any security product depend on the people who configure and maintain them. Purchasing and deploying IT security products should therefore only be a percentage of the security budget, with a greater percentage allocated to ensuring that there are adequately trained resources in place to properly monitor, support and maintain security solutions.

“However, IT security often takes a backseat to general support activities where over-stretched, often highly-skilled, IT personnel have to keep an eye on it in between fulfilling help-desk projects such as resetting forgotten passwords, fixing jammed printers, and setting up new employee workstations.

“With IT-related theft and fraud on the rise, a bare minimum approach isn’t good enough. IT security needs to be elevated to a higher business priority,” says Engelbrecht.

He believes companies need to look beyond the average cost of a security incident to the other business benefits of a strong security posture.

“When a company invests time and money in building and maintaining a strong security posture, it enjoys numerous benefits. For instance, those that can demonstrate an infrastructure protected by robust security mechanisms could potentially see a reduction in the amount they payout for insurance.

“It’s also a way of winning over new customers and building customer loyalty. Customers are most likely to keep their business with a company that values their business so high that it would take such an aggressive stance to ensure their information is protected.

“But, most importantly, a secure organisation does not have to spend time and money playing catch-up, trying to identify security breaches and responding to the consequences thereof. They know they are in a position to act proactively to prevent IT-related theft and fraud before it happens, avoid the legal consequences of a breach of confidentiality and avert the damaging impact on reputation that could result.

When management looks at it this way, then any investment of time, money and resources in IT security is easy to justify, he concludes.