Information security in East Africa is faced by various changes, namely the lack of a single source of information, lack of preparedness by organisations to deal with threats and insider threats. This is according to William Makatiani, Manager, Enterprise Risk Solutions at Deloitte East Africa. Makatiani was speaking on Thursday morning at Serena Hotel where Deloitte released results of a Security Survey that the firm conducted in East Africa. 45 per cent of respondents were from Kenya with the remaining from Tanzania and Uganda
The Security Study had the highest responses from the financial services sector, energy and resources sectors, media and communication industries. Areas covered include information governance , strategy , emerging trends and compliance.
Most organisations lacked budgets, skilled professionals or even a security centre. In some of the organisations, it was not clear who was in charge of information security. The study mainly attributes this to lack of security visibility in the organisations.

Organisations were also found to be more cautious of external threats such as external hackers and viruses. However internal threats were found to be of more significance than external threats . This is attributed to more technology savvy users and data explosion - the large growth of information collected and stored by organisations.

The study also cautions organisations on the adoption of cloud computing. "While this model can provide a high level of continuity and maintenance of the appropriate level of information security and reliably distributing authorization across the network, it represents a challenging set of security problems. Organisations should avoid placing sensitive information in the cloud unless they can obtain strong assurances of appropriate protection from all the vendors involved," says the study.

In most organisations it seems like the Chief Information Security Officer (CISO) is reporting to the Chief Information Officer (CIO). The CISO role is mainly responsible for monitoring the Information technology infrastructure which falls under the CIO docket. Now if the CISO is reporting into the CIO it brings an independence issue – especially since the CIO has to approve any reports coming from the CISO – who is a subordinate in the CIO organisation. IT experts are also given the role of information security despite not been suited for such a role .

Employees were also found to be often lacking in security awareness thus presenting a risk to the organisation. 65 per cent of security risks in organisations are attributed to well meaning employees who unknowingly lead to a breach through means such as lost devices, written-down-passwords and social engineering attacks, where a user is misled to reveal valuable information to a person they believe they are familiar to. This could be tackled by employee training and policies which enlighten them on risks that fall in their domains.

Makatiani says that insider threats call for a human resource policy that would include background and integrity checks on employees. He also recommends for inclusion of information security experts in an organisations strategy rather than bringing them in to fulfil a particular role such as audit.

Also released were the results of a similar survey on application security.