Subscribe
Sectors
Companies
About

SA companies face 'governance challenges'

Candice Jones
By Candice Jones, ITWeb online telecoms editor
Johannesburg, 04 May 2007

Governance, compliance and risk management are the largest challenges facing South African companies today, says Craig Rosewarne, chairman of the Information Security Group of Southern Africa.

"Of say 100 companies, only 10% are trying to adhere to governance structures, and of that 10%, only two or three companies have an effective implementation," says Rosewarne.

With each new legislative Act incorporating clauses that will administrate information security, companies face the difficult task of complying with corporate governance frameworks, he says.

"Companies often don't realise they are in breach of a particular law. For example, businesses that allow employees to send and receive video clips may be contravening stipulations in the Film and Publications Act."

He adds that in a few years, the new SA Privacy Bill, which is still in draft mode, will require companies to disclose any information security breach that occurs. "This is another legislation that companies must address."

Organisations also need to address compliance in terms of geographical location. "Geography can make compliance even more complicated, because international companies must not only adhere to South African stipulations, but also to international ones like Sarbanes-Oxley," Rosewarne explains.

People, process, technology

<B>ITWeb Security Summit 2007</B>

Taking place from 22 - 25 May 2007 at Vodaworld, ITWeb's Security Summit will bring together international and local IT and security professionals, practitioners, industry experts and analysts. Delegates will gain an understanding of the key tools, techniques and strategies needed to safeguard their organisations' most valuable asset - information. International security guru, Bruce Schneier, and creator of the PGP e-mail encryption protocol, Phil Zimmermann, will deliver the opening keynote addresses. Click here for booking information.

"Part of the solution to this challenge is to appoint a compliance officer to exclusively manage these issues. It boils down to the 'process, people and technology' triangle," says Rosewarne.

A dedicated officer can help departments, branches and other segmented parts of a business interact effectively, which is not, according to Rosewarne, generally happening in SA at the moment.

Government is now being forced to hire staff dedicated to this area of expertise, but there are too many firms that are not doing this. "It is for this reason, I say, SA is not ready for 2010," says Rosewarne.

Dynamic security environment

"Security threats are always evolving; it's akin to a fashion parade," he says.

Organisations are facing targeted attacks and this is very problematic for business, because, "some companies will have no way of knowing their data has been compromised.

"In a recent summit I attended in the US, one of the keynote addresses said only one in 70 cyber attacks are detected."

Companies are fighting something comparable to organised crime, and for the most part they are losing. "Companies definitely need to work together to help solve the problem.

"On top of all the external attacks and risks that companies face regarding information security, they are also battling the human firewall."

He adds that about 70% of security breaches are committed by internal users. Consistent training is a solution, but it must occur holistically, across the entire organisation.

"Companies can't make risks disappear, but through proper governance, risk can certainly be minimised."

Related stories:
 SA ups e-readiness score

Security is 'people, process, technology'

How much is enough?
The trade-off of security
Privacy essential for corporate governance

Share