by Vincent Goh

IN TODAY'S challenging business environment, the traditional boundaries surrounding our organisations, assets and information are quickly fading. Companies are also forced to look at ways to achieve high levels of efficiencies at a very low cost. As such, new technologies - in the form of virtualisation, cloud computing and social networking - are taking the enterprise by storm.

Unfortunately, the threat environment is evolving, and well-intentioned actions to drive new business value could bring about dangerous exposures to new risks.

In a recent study commissioned by RSA, more than eight in 10 respondents are concerned that the pressure to cut cost and generate revenue has increased the exposure to security risks. More than seven out of 10 said they have had security issues in the last 18 months.

The fact that the world is becoming increasingly interconnected makes things worse, since it means that today's risks are not constrained by geographical boundaries and therefore much larger in scale.

And as the costs of hosting websites fall, coupled with the emergence of higher Internet bandwidth in more countries, we are also seeing the emergence of more sophisticated hackers.

Threats today have also extended beyond virus and worm attacks, to the likes of infrastructure misuse and information theft. Data leakage is also on the rise.

There is a sensible way to enable - without excessive exposure to risk - what we call the 'hyper-extended enterprise', which is essentially an organisation that integrates Web technologies as well as outsources some of their business processes.

And the way is to aim for the middle ground.

This means shifting the security focus in enterprises to policies and practices that accommodate data sharing, while still protecting its confidentiality, integrity and availability.

Within organisations, chief security officers (CSOs) or chief information officers (CIOs) often face the need to simultaneously address opposing concerns. On one hand, there is a need to tighten control over data and therefore enforce security measures. On the other hand, the same project is not approved until the return on investment is quantified and proven.

Therefore, before adopting any new technology, CIOs must clearly understand the impact this adoption will have on the organisation's existing IT infrastructure as well as on its business.

The investment in new technology is worthwhile only if one knows how to use it in the right way and at the right time.

And it goes without saying that the new technology must never compromise information security. Information is the lifeblood of every organisation and companies cannot afford to take chances.

As a basic guideline for new technology adoption, CIOs should carefully consider the following three steps.

The first involves identification of information assets, such as data, services and infrastructure. Secondly, CIOs should identify all possible threats and vulnerabilities against those assets. Thirdly, these assets should be valued by introducing a suitable metric. It could be as simple as classifying these as low, medium and high risk.

Lastly, CIOs should always be aligning security with business priorities from an investment perspective. If they are engaging in security for security's sake, it may not always be of service to the business.

In this shifting landscape, the battlefront of security is rapidly changing from securing the perimeter to protecting the information at the source. An information-centric approach to security protects the integrity and confidentiality of information throughout its lifecycle, which ensures that the right people have access to the right information at the right time.

The writer is the managing director for South-east Asia, RSA, the security division of EMC.

This article was first published in The Business Times.