Infosec: It’s Not About Security

Infosec: It’s Not About Security

During last week’s RSA Conference in Singapore, a panel hosted by RSA Conference Chair Dr Hugh Thompson with Tobias Feakin, the director of the International Cyber Policy Centre, RSA’s CTO Zuli Ramzan and Paul O’Rourke, the Asia-Pacific Cyber Security Leader at Ernst & Young discussed a number of interesting issues pertaining to the “Asian Opportunity for Security”.

In a wide-ranging discussion covering everything from nation-state attacks to skills, metrics and the growing maturity and sophistication of adversaries, they touched on an important point: protecting your company’s information assets is not about security but about risk management.

“We talk about information secure, we talk about cyber security but the biggest change has been in cyber-risk,” says O’Rourke.

This is reflected, he says, in the way boards and members of the C-suite are looking at securing information assets. The focus has moved from block everyone and protect all assets equally to looking at what assets most need to be protected, which are at greatest risk of being attacked and creating a defensive and reactive posture that best protects those assets based on their value and has in place processes and systems to promptly react if a breach occurs.

O’Rourke has see a shift occurring in companies with infosec moving away from the IT function towards other parts of the business.

“In part, this has been driven by regulatory,” says O’Rourke. But in part it’s about reputation. The fundamental change is C-suite and boards now understand this is not an IT issue”.

One of other things that’s happening is the business and technical risk functions that together make up information security are now being split out with technical risk and business risk functions working together more closely.

It was evident through the discussion that skills remain a significant barrier for many businesses. In particular, O’Rourke noted finding people who could understand the technical issues and articulate them to the board in terms of business risks are scarce and will be in increasing demand over the next few years.

So, as companies mature in how the look at and manage information security risks, there will be some new work opportunities for savvy operators who understand the technical and business sides to the infosec coin.

The author of this article travelled to Singapore to attend the RSA Conference as a guest of RSA.


  • Many companies are seeking more tactics to increase and neutralise hackers forcing them to spend more to improve their defences.

Comments are closed.

Log in to comment on this story!