IT told to fix security without 'bothering' business
Security teams shouldn’t let the safety of systems fall on employees following policy, but instead should take ownership of their roles, one expert has said.
Employee awareness of security issues may be important, but it is down to the security team to take ownership of the systems and their jobs to keep the company safe.
This was the view of Kim Aarenstrup, chief information and security officer (CISO) for Maersk, in a keynote speech at the Forrester Security Forum in London today.
Although he claimed security issues were now a "business concern with a tech component," he said it was up to the technical security team to deal with it, not the rest of the business.
"What we want to do is take care of a lot of the security challenges without really bothering the business side. They have their own challenges [and] the CEO expects the CISO, who he is paying a salary, to take care of these things," said Aarenstrup.
Although this may sound like an obvious way security teams should be operating, Aarenstrup pointed out that a lot of security had been done previously via saying no and issuing policies, leaving the safety of systems in the trust of the employees using them.
He said: "There is no doubt that [employee] awareness is important on certain aspects, very important, but asking employees to try to take care of everything? Really we are not going to leave the capability of security, which is very complex, in the protection of our employees."
"They should look after those areas where they are at their best and we should look after this one."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
With new technologies such as cloud computing and virtualisation, Aarenstrup concluded that security teams needed to "get rid of the old dogmatic thinking" and "conservatism" that previously dominated the industry.
He claimed that rather than saying "no" to something that business users request because it may seem risky, security teams should find a way to make it safe.
Jennifer Scott is a former freelance journalist and currently political reporter for Sky News. She has a varied writing history, having started her career at Dennis Publishing, working in various roles across its business technology titles, including ITPro. Jennifer has specialised in a number of areas over the years and has produced a wealth of content for ITPro, focusing largely on data storage, networking, cloud computing, and telecommunications.
Most recently Jennifer has turned her skills to the political sphere and broadcast journalism, where she has worked for the BBC as a political reporter, before moving to Sky News.