|
By Anthony M. Freed, Infosec Island
Information security is still not garnering appropriate attention from the executive level at some of the largest companies in the world, many of whom are engaged in business activity considered critical to the nation's infrastructure.
According to an article in InformationWeek, "more than half of Fortune 1000 companies lack a full-time chief information security officer, only 38 percent have a chief security officer, and just 20 percent have a chief privacy officer. As a result, a majority of companies are failing to adequately assess and manage the risks that information security and privacy issues pose to their business," as quoted from Cylab's Governance of Enterprise Security study for 2010.
With the seemingly exponential increase in threats that range from criminal enterprise to mischievous script-kiddies, combined with insider threats amplified by a struggling economy and an increase in regulatory compliance demands, one has to wonder why information security is not being given proper credence.
According to the report's author, Jody Westby, who's CEO of Global Cyber Risk and a distinguished fellow at CyLab, "the survey results indicate that boards and senior executives need to be more actively involved in the governance of the privacy and security of their computer systems and data."
Yes, but a willing detachment from the complex legal issues, highly technical and often jargon-laden nuts and bolts of data security initiatives is probably only one of many causes of boardroom malaise.
Some of the blame also rests with the Information Security Paradox, in which the performance of security efforts is often inversely proportional to the health of the budget for such endeavors. That is to say, the better job one does preventing major information security events from occurring, the harder it is for one to justify a budget, let alone an increase to said budget.
It is not that the boardroom does not understand risk -- they live and breathe risk on a daily basis. What the boardroom does not understand is mitigation of risk when it comes to information technology.
The lack of a serious security event simply reinforces their instinctual notion that risk associated with information systems can be controlled, not just mitigated, and that controlling "costs" is paramount when it comes to non-revenue generating expenditures (otherwise known to IT and compliance departments as "resources").
What the boardroom needs to understand from past experience is that sometimes their data was safe only because they had a first-rate security team with lots of support from management, and sometimes their data was safe simply because no one tried hard enough to get it.
And what about when someone does decide to really try?
It is probably safe to assume the 60 percent of the Fortune 1000 companies surveyed who do not have a CSO or equivalent probably have never experienced a serious data loss event -- or they still don't realize one has taken place.
(Un)fortunately, another aspect of the Information Security Paradox is that nothing provokes a sharp budget increase like a really expensive, publically embarrassing, and professionally damaging information security event.
Information security risks cannot be controlled, but they can be made predictably benign if the right people are given the right tools, including the confidence and support of those at the corporate helm.
Anthony Freed is director of business development and managing editor at Infosec Island Network.
Copyright © 2009 - 2010 WireHead Security, LLC
Only registered users can write comments.
Please login or register. |
