Security must not become a victim of reduced budgets

by Richard Hunt

May 13, 2010

With a Conservative-Liberal (or Liberal-Conservative as David Cameron prefers to call it) government installed in the UK , public sector spending cuts seem inevitable – the only uncertainty is when and how much.  Management teams face huge challenges to maintain the services on which the public depend, but must operate on a severely reduced budget.

Most of these services rely on IT systems to support their day-to-day business. That ranges from email and instant messaging systems for communication, to document management systems for collaboration, to ERP systems (with SAP being widely used by local government) for performing the majority of business processes.

IT spending cuts

'IT Trends in Local Public Services 2009/10', a survey by the Society of Information Technology Management (Socitm), shows that over the past year the amount of money spent on IT has decreased by 11 percent, while the number of IT staff being employed in the public sector has reduced by 10 percent.

Combining this with political party pledges to reduce the UK's financial deficit indicates that there is a real danger that the priority of IT security, incorrectly perceived by some as a non-value add function, is reduced.  This move will prove detrimental to an organisation's overall operations.  If it is to be avoided, security experts and business managers must work together so that security does not become a reactive afterthought.

Combining business with IT

Security administrators should have an appropriate level of technical knowledge regarding the system-specific security parameters and tools and an unders tanding of basic security concepts that help drive best-practice behaviour.  They also need an appreciation of how the business works so that best-fit security solutions can be implemented, allowing security to become an 'enabler' rather than a bottleneck.

At the same time, organisational 'ownership' of security is vital to ensure there is adequate control placed over who can do what in 'business critical' systems. For example, only the organisation can define the exact responsibilities of an accounts payable clerk. Investment of time and effort by the business in this area is crucial to drive fundamental security concepts within the IT systems themselves, as well as in the wider culture of the organisation.

The risk of too much – or too little - access

SAP systems require that access to functions that are inappropriate for certain individuals in particular situations is denied, whilst the relevant level of access to enable users to perform their job responsibilities is provided.

Authorisations or permissions are the gateway to data and functionality on the IT systems that support an organisation. Without adequate understanding and design of the permissions structures, users are not able to deploy the functions that they require. If incorrectly designed and implemented, the same permissions structures can also let users access data and functions that they should not be using.  Reducing IT expertise in the organisation makes both of these a real danger.

Avoiding security breaches

There have been high-profile security lapses in data handling practices in both the public and private sector, but these and other types of security breaches can be avoided by maintaining a climate of security awareness that should be instilled in all layers of information management. No organisation can afford to ignore this if they are to safeguard confidential informa tion.

Security must be a business issue

Having appropriately skilled security professionals in charge of IT systems security, and ensuring security requirements and overall ownership of security is being driven by the business, should be interwoven in order to fully achieve security objectives. However, this will become increasingly difficult as investment in IT is reduced.

The challenge during these leaner times is to maintain best-practice security principles by having the right people administering the systems.  At the same time the business cannot afford to shy away from ownership.  Doing so will be highly counter-productive in terms of making the cost-savings that are currently imperative.

An email has been sent to:

More from SAPinsider


Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!