The most essential waste of time

Celfocus' trade-off for Information Security

Security is many times considered a complex term as it includes both the feeling and the reality.

Feeling secure and really being secure are in fact completely different things. However, having both requires us to trade something off, give something in return of that feeling/reality.

For organisations, information is their most important asset. Therefore, its security is crucial. How much are we willing to trade off and why has information security become so important?

If we associate the intrinsic value of information to the rapid technological innovation (which isn’t always secure) and the difficulty of the law to combat attacks on information; it is likely that they will have a very significant increase in the years ahead. These attacks can have a very negative impact on organisations, not only on a financial perspective but also on their image and credibility in the market.

Another aspect that will have a significant impact on the organisations’ information security is their readiness to meet the requirements of the new General Data Protection Regulation, which came into effect this year. This regulation foresees a transitional period of two years for its implementation. Organisations will have this time to adapt to the new rules.

The new Regulation introduces significant changes to the current rules of Data Protection imposing new obligations to organisations, whose breach is punishable by heavy penalties that could amount to 4% of the total annual turnover or €20.000.000,00.

Organisations that deal with personal data, our customers, will be among the first to implement these obligations and to reflect them to their suppliers, Celfocus.

Given this “new” importance and these new external requirements, Celfocus has made a trade-off. To feel and be secure we have invested in the creation of a team with roles, responsibilities and skills to:

• understand and manage the risks associated with attacks on their security so that business decisions can be made where the returns justify the security investments;
• have confidence that the risks associated with information security are manageable, that is, they don’t jeopardize the competitive position of the organisation or its own existence;
• have confidence that the risk associated with information security does not prevent organisations from continuing to take advantage of technological innovation.

What does it mean for Celfocus?

We consider information security as a priority investment, one that allows Celfocus to competitively position itself in a demanding market. A market that has already integrated information security as a standard business requirement.

In that sense, we have developed an information security framework that is currently operationalizing the approved information security policies.

The operationalization of the strategy and information security policies allow, among other factors, to assess and manage the security risks, properly allocate resources and comply with the laws, regulations and contracts in force.

Although in the initial phase of this work more attention has been given to the aspects related to contracts and the technologies associated with information and communication, we cannot underestimate at this stage, relevant components such as information security awareness or the incorporation of information security requisites in the project management framework.

Information security awareness is essential for the creation of a positive security culture whose center is the person, who is often the weakest link in the security chain. Statistics show that often the investments, which can be high, in technological security components are compromised with security breaches due to unsafe behaviours from the organisations’ personnel.

What are the advantages for Celfocus in having an information security program?

Promote the security of its own information and indirectly of its customers and to position itself in the international market, allowing Celfocus to answer RFP/RFQ’s that are getting more demanding on this matter.

Celfocus is developing a security culture that will promote the flexibility to integrate new requirements from its customers in the areas of security, risk, compliance and business continuity.

The feeling of security and the reality of security don't always match, says computer-security expert Bruce Schneier. In his talk, he explains why we spend billions addressing news story risks, like the "security theater" now playing at your local airport, while neglecting more probable risks — and how we can break this pattern.