Information security spend based on paranoia and without a holistic security strategy is leading enterprises to see information security as a grudge buy.

So says Maiendra Moodley, divisional head GM for financial systems and processes at the State IT Agency (SITA).

Moodley, who has trained and consulted to customers in India, Kenya, Ghana, Botswana, Zimbabwe as well as locally, says he sees similar patterns among enterprises across Africa, despite differences in their levels of maturity and the security risks they face.

"I've narrowed it down to what I call the four Ps – pace, pragmatism, paranoia and people," he says.

Moodley says the pace of information security adoption is impacted by issues such as budget; and external factors such as new legislation and companies overlooking the importance of information security when all is running well and there are no breaches.

Pragmatism implies that companies tend to ask "how much do I have to spend on information security before I have enough?" Paranoia drives much of the information security spending, but often with the end result being that companies buy high-end, highly ranked systems that are unsuitable to meet their specific needs, as these solutions are not orientated to their specific threat-risk scenarios. And despite all the investments in technology, people are the weak link in the entire security infrastructure, he says.

The upshot is that enterprises tend to buy security solutions that do not deliver the expected returns on investment, due to the "four Ps", making future information security purchases very much a grudge purchase, says Moodley.

The risk that emerges when information security becomes a grudge buy is that enterprises become reluctant to allocate budget to solutions they actually need, as they do not see the value of previous purchases when measured against the other competing organisational/budget priorities.

Moodley says achieving the right levels of security begins with a thorough risk assessment encompassing both information and physical security, which combines a firm grasp of processes under the enterprise governance and risk banner.

Too many enterprises still silo their physical and information security, he says, explaining that this leads to counter-productive duplication of effort and delays when breaches or fraud involve both the physical and information security.

"These areas are increasingly linked, so they need to be seen as part of a holistic security strategy that also includes sub-disciplines such as fraud and risk management," he says. "In line with this, the role of the chief security officer has to change. Now, enterprises need a CSO with a background in both physical and information security, who understands overall risk, governance and business issues. The challenge is – where do you find these people?"

Moodley will address delegates at the ITWeb Security Summit 2014, to be held in Sandton in May, on the topic: "Security in an interconnected world – why security strategies fail." For programme information and to register, click here.

Editorial contacts
ITP Communications
Leigh Angelo
011 869 9153
leigh@tradeprojects.co.za