Security gurus laud process benefits

Security gurus laud process benefits

Security based on people and process - not technology

Information risk experts at a leading IT security conference have underlined the importance of people and processes in delivering an effective enterprise security programme.

Speaking at the annual Forrester Security Forum in Europe, Stephen Bonner, Barclay's head of information risk, insisted that a pre-occupation with technology was undermining security efforts.

Bonner explained that focusing solely on technology solutions will not solve the underlying security problems that plague many firms, many of which are a result of "poorly designed processes".

"A lot of vendors are making a lot of noise around data leak prevention products but I remain unconvinced," he argued. "These are technology solutions to particular problems – you can manage this problem by tying down your email, or USB stick use, but people will just print out material or move [to other methods]."

Several other speakers at the conference also argued that a risk management strategy that addressed IT issues would secure corporate networks far more effectively that concentrating on specific incidents or technologies. " Technology should not take up most of your time; it's just a small layer between the processes and people," said Forrester analyst Thomas Raschke.

Bonner explained that Barclays is running a comprehensive awareness-raising campaign in an attempt to change corporate culture and mitigate the risks associated with the "insider threat".

The firm has commissioned a series of short, accessible videos to raise staff awareness about issues such as device loss, he added.

"Lots of control functions are seen as stuffy, an extra layer of cost and inconvenience, so we're trying to challenge their preconceptions," said Bonner. "And because the awareness material is not mandatory, it makes it a bit more viral, drawing attention to the issues."

Bonner argued that in 80 per cent of incidents involving insiders, the perpetrator exhibited unusual behaviour beforehand. "Most of the issues can be resolved not through technology … but by walking towards the problem," he said, "If someone in the team is known as a bit dodgy just have a word – in a lot of cases something was known to be wrong and no-one did anything."