TECH | Sep 4, 2019

Cybersecurity: costs, benefits and integrated approaches

Why does security have an across-the-board impact on every business process and how should it be approached?

We often wonder if information security should be considered a qualitative, measurable and quantifiable element of a project, rather than an implicit requirement, and therefore be considered a commodity.

A fundamental element for a company is understanding what to protect and, consequently, what actions to put in place. Any activity has financial aspects as its main measure, but in the technological field, so heterogeneous and rapidly evolving, being able to provide a balanced picture of the necessary actions often becomes a gamble. In order to assess the possible balance between costs and benefits, we resort to the R.O.S.I concept. (Return on Security Investment), but how do you objectively measure the effectiveness of the investments?

Technology evolves every day at an ever-increasing speed, presenting a growing number of threats which are unknown by their very nature. Sometimes it is therefore necessary to implement strategic countermeasures before understanding what the threats will be, based on the awareness that they will appear.

The insurance world has tried to give an answer, turning costs and benefits into figures. “For every financial investment, there is a possible financial coverage to cover a possible accident”. It is evident that there are many uncertainties already in the description and that the insurance world also found itself facing the same problem: how to measure real risk, how to assess its impact, how can one predict this scenario?

How can we approach company security?

The answer to these questions lies in the evolution of Information Security, where the need for a methodological and virtuous approach that covers not only technological aspects, but also takes a closer look at the financial ones is increasingly evident, no longer as a technological virtuosity created to mitigate the paranoia of a Security Officer, but as a model that considers Information Security a functional, quantifiable and measurable requirement.

We often make mistakes because of this evolution: Cybersecurity and Information Security are two terms which have in common the protection of data from access, theft or modification, but we often forget that they are not the same thing.

Data protection is not limited to Cyberspace; Information Security deals with the protection of information, regardless of whether the data is inside a computer, in Cyberspace or in Internet.

In order to protect information, we need to understand which elements contribute to the result. Often, those who have this task do not have the control or the view of all the elements and find it difficult to identify roles and responsibilities.

What is the role of a System Integrator in Information Security?

A system integrator is a person or company that specializes in bringing together component subsystems into a whole and ensuring that those subsystems function together” (Wikipedia).

A System Integrator maintains, develops and expands digital ecosystems that provide essential services for hospitals, banks, industries, public administrations. The systems on which he/she intervenes have the task of collecting, storing and processing different kinds of information with specific protection needs. In these types of contexts, often with little supporting information and minimum intervention times, the System Integrator must guarantee the effectiveness of the solution he/she is required to provide, optimizing implementation times and costs through the knowledge of his/her technical and organizational features .

This places him/her in a strategic position as regards Information Security, which is based on the balance between technological choices and organizational processes, between competing interests such as business and data protection.

The System Integrator must have an extensive view over every type of digital ecosystem, where the Regulations relevant for Information Security must be applied and he/she can tackle potential risks taking into account their effectiveness rather than their form.

Igor Kranjec