Skip to main contentSkip to menu

IT Services Business Solutions and Consulting across UK and Europe

  1. Home >
  2. Industries >
  3. Government >
  4. Information Security >
  5. Losing control could save you over 35% of your security budget!
Main contents start here

Losing control could save you over 35% of your security budget!

The Code of Practice for Information Security (BS7799 Part 1 or ISO/IEC17799) brought the concept of information security as the centralised deployment of technologies and procedures to preserve the confidentiality, integrity and availability of information. And, to be fair, it’s worked. So what’s all this talk about IA? Isn’t it just a new way of saying the same thing?

Actually, no it isn’t. IA takes things a step further than the ISO 17799 definition, because it is not simply about the technicalities of delivering security into IT. While technology still plays a key part, IA takes a more holistic view and is designed to tie information security into the business needs of the organisation – its day-to-day operations – and embed it into the bedrock of everyone’s job.

Putting security at the heart of the organisation
The aim of IA is to provide a level of confidence that services are secure and, critically, the way they are being delivered is also assured. This ties in closely with the requirements for business governance, as defined by Turnbull, as well as any relevant legal and regulatory frameworks. As such, IA follows the traditional steps of assessing organisational risks and defining policies to address them. However, this is then followed by a series of activities designed to split ownership and responsibility across the organisational structure.

In this way, specific responsibilities can be discussed with each department so that they (not the IT security function) can develop the necessary processes. For example, HR may need procedures for personnel screening and promoting security awareness. So, using the IA approach, HR would be responsible for addressing the security needs in these areas and ensuring that they become part of their day-to-day processes.

Understandably, an initial reaction to this can be to say “that’s security’s responsibility”. However, the real benefit of this approach is that it actually gives departments control over their own work space. And despite appearing to be a way of simply redistributing workload, once up and running, it doesn’t actually add more tasks. The responsibility for security becomes tightly integrated into existing operations to a point that it is actually an enabler, rather than a hindrance.

From a security point of view, IA also reduces the workload placed on experienced IT security staff, freeing up their time and expertise to identify new areas in which they can add value.

For the organisation as a whole, pay-back comes in the form of a significantly reduced requirement for centralised security resources. Whilst there is still a need to review the operation of working procedures to ensure that what is documented is actually what happens, over time the effort required to do this reduces significantly as levels of assurance increase. In Fujitsu’s experience of working with government and other large organisations, this can result in significant savings of over 35% in IT security costs.

The importance of management
Of course, realising these benefits entails a massive cultural change and the success of the IA approach depends on getting the message across that everyone is responsible for security. Key to this is the implementation of a comprehensive training and awareness programme, specifically tailored to each job function, and a close integration with personal objectives.

More importantly, unlike the traditional bottom-up approach to IT security, for IA to work the entire management team needs to understand, support and drive its adoption throughout the organisation until it becomes second nature. Quite simply, unless the drive comes right from the top it is destined to fail.

If this all sounds like a lot of work, that’s probably because it is – at least initially. But then the potential rewards are huge. Get it right and you can not only enjoy much greater levels of protection and productivity, but all at a much lower cost. The only real question is - what’s stopping you?

Deborah Haworth,
Managing Consultant & Chief Information Security Officer NHS Project,
Fujitsu Services



Top of Page

Related menu starts here

Driving Issues for the UK Government


Main menu starts here
End of the page