In preparation for the Forum the IT Advisory team conducted a qualitative survey to better understand the state of maturity of information security amongst organisations in Malta. Through this survey a series of trends were derived and were used as the basis for discussion during the Forum.
Eric Muscat, the Partner in charge of IT Advisory in KPMG Malta said that ‘Overall, organisations do see the need for good information security governance however the Survey revealed inconsistent and ineffective approaches to implementing security strategies through ad hoc initiatives, reflecting the need for guidance and coherency.’ He also observed that ‘the best results were obtained when organisations followed a security framework or standard.’
During the Forum, KPMG led a facilitated discussion from which a number of key issues emerged. Amongst them, that it is increasingly difficult to put a value to information security; that the concept of privacy is being redefined; that whilst it was agreed that the human element is the weakest link in security, there is a lack of security awareness amongst employees; that security is generally an after-thought causing a string of reactions when things go wrong; and that IT is becoming ever more legalised as lawmakers endeavour to establish the bounds in which organisations and individuals can be protected against the abuse of information.
Donald Tabone, the Information Security lead for KPMG in Malta stated that ‘The bottom line is that being 100% secure is indeed impractical and unrealistic. There is no ‘one size fits all’ solution and organisations need to adopt a risk-based approach to finding the right balance between security and usability.’ He also said that ‘information security is not a goal but an ongoing process. Such a process would entail a combination of adequate risk assessments, policy making, awareness training and the implementation of the right technical controls, strongly promoting a holistic approach to implementing a security strategy.’
In conclusion, the Forum showed how the need to adopt a robust management process to assessing risk was fundamental to implementing a sound security strategy. Any chosen strategy has to be aligned with the business, whilst the adoption of any given framework; even if not necessarily an imperative, goes a long way to ensure management commitment throughout the process – something KPMG believes is a key factor for an organisation to successfully instil a security mindset amongst its people.