The
September 11th act of terrorism upon the USA will have enormous ramifications
to the way everybody does business. The increased risk will raise the
importance of security in nearly every activity of life: travel; business;
recreation. The economic consequences will take time to work themselves
through the different markets that in some areas were already under pressure.
The air transport industry is only the beginning, the IT industry will
have to realign itself to the new business requirements as the budgets
get cut or redirected.
Under these circumstances the best thing to do is to go back to business
basics: business strategy; business planning; IS strategy and IT planning.
The objective is to position the companies for the future (strategic and
high potential initiatives). Identify those processes that have to change;
identify how IS and IT can support the initiatives (effectiveness); rationalise
the existing infrastructure and applications (efficiencies).
All of this being focused on the information. Which brings me back to
the security. As the economies repair themselves, the ability to access
and share information will be intrinsic to the revival - ensuring the
integrity and security of the information will be vital.
Feature
Story
Protection
of your assets has become important
Until September 11th security was a concern,
now it is a reality. Unlike in the home, over 60% of the risk is on the
inside. Physical security is important but the modern thief is after the
information. This changes things - how can you protect assets that you
cannot see? how can you put a price on the loss? how do you explain the
risk in the dreaded business case?
You
want to logon to the system. On goes the machine, up comes the challenge
screen: user-id and password. You enter and your onto the network. Now
you want to get to the HR system, up comes another challenge. You enter
another id/password pair and your in. You do what you want to do and then
its on to the ERP system, another id/password pair ............ This is
not easy, this is a drag - it might be secure but is it the best use of
my time.
A different scenario would be to pass the first challenge and then be
able to go everywhere. A single key to open every room in the house -
you better not lose it otherwise you will need to get in the locksmith.
But the enemy is within so a single key doesn't work so we are back to
scenario one.
Why are we doing this? I remember, it was to protect my information assets.
What are they? Those pieces of information that a competitor or enemy
could use against the company or country. Do you know where they are?
All over the place. Not a clever thing to have done is it.
In this period of reflection and planning, security is something that
is no longer added on as an afterthought but embedded into everything:
working practices; systems; applications; buildings, and think end-to-end.
This not a technology problem although technology can be used in certain
areas.
As we plan for "life after recession" it is important that we
focus on this information. It is the lifeblood of every organisation and
needs to be treated in the same way as all important assets. Just like
a physical asset can wear out, information has a life and needs to be
maintained. Some information needs to be kept for tens of years whilst
others is outdated almost immediately. This requires careful risk analysis
and appropriate protection. Not everything needs to be protected in the
same way.
As an integral part of the IS/IT strategy and planning activities the
importance of information must always be central to the decisions. What
information do I need to achieve my goal? What information would be of
value to my competitor? The answers will then help to decide what can
be shared, what must be protected and most importantly what value the
information really has. Armed with that the business case becomes much
easier.