While the global economic crisis continues to put pressure on IT budgets, from a spending standpoint security is set to remain a priority. According to Gartner, worldwide spending on security is expected to increase from $60 billion in 2012 to $86 billion by 2016. Security is a mainstay threat, there is an overwhelming sense of not if, but when an organisation will be attacked.

Companies continue to invest in security with good reason. According to the UK’s Information Commissioner’s Office (ICO), the number of self-reported data breaches has skyrocketed in the last five years with an average percentage increase across sectors of 1,014 percent. And, with the rise of virtualisation, mobilisation and consumerisation, shoring a company’s security defences has never been more challenging.

However, while many organisations believe that they have sound security measures in place, the reality is that often these are implemented in a piecemeal way with point solutions only addressing specific needs. I believe this disjointed approach is not sustainable.

I recommend a holistic approach – one that is business focused with executive sponsorship and support. Security should never be considered in isolation from the business. Instead, security should protect and enhance business processes and risk must be properly identified across key business areas.

I also recommend that organisations adopt a scenario based approach to security in order to fully understand the extent of their threat landscape. This entails considering all the different threats and imagining how they might play out. If you can explore in detail the potential impact of each scenario, you can then begin to build a true understanding of how your organisation is structured to cope.

For example, what happens when a personal device that contains business data is lost or stolen? BYOD is accelerating; the question is how can this trend be regulated? And to what extent can an organisation dedicate and reinforce processes when it’s the employees who own the devices?

The technology exists today to wipe out or disconnect access to business data when a device is reported stolen, but what about the policies that must be in place to minimise such an occurrence, and how will these policies be enforced?

Companies should create and continually make adjustments to their security policy, implementing any additional tools and processes needed to address threats. They also need to regularly review policy in line with changes in the environment. The security landscape is constantly in flux with more advanced threats continually being generated. No organisation will ever be 100 percent secure; any security and or policy must be agile enough to deal with the changing threat landscape

While I am not suggesting that organisations need to throw away their existing technology and start again, I do believe that organisations need to re-examine their current security strategy and make sure that they have board level involvement. A comprehensive business led approach to security strategy will guarantee the best levels of success.


  • Just because point solutions are in place doesn’t mean you are fully protected.
  • Assess your approach to security policy, consider a dashboard or management console to identify and address gaps in one managed process, continually assess and maintain your policy as your environment changes.
  • If you start with an accurate and business based understanding of your security position, then implement the right policies and technology to support those policies, and finally continually review and make adjustments to those policies, security is manageable.
  • Continual service improvement is key; IT security and the protection of data should be regarded in the same way as any service management practice and constantly monitored.
  • The capability is there, organisations themselves need to rise to the new corporate security imperative.

Security has to be considered in the round. When an executive asks the question ‘is our data secured’ the answer will probably be ‘yes’ because the organisation has put security tools in place. However, it’s not simply a matter of ‘yes’ or ‘no’ when it comes to security, it’s about asking and understanding ‘so what exactly happens when…’. Only by fully exploring such questions will you know if your organisation is primed to handle all security eventualities.