Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

The IT Security Buck Stops Here

Experts warn that increasingly, executives must consider themselves chief information security officers, and recognize that as with any other cause of business disruption, if IT security adversely interrupts business it is, ultimately at least, their responsibility.
Page:

Need to convince corporate leaders with objective measures of security's value? Start here.

US President Harry S Truman said in his farewell address in 1953: "The President has to decide. He can't pass the buck to anyone." Now that's an adage all executives might consider carving into their desks (if not their very souls) as the torrent of cyber attacks continues to highlight corporate vulnerability to IT security threats.

The days when executives could profess ignorance and happily pass all responsibility for security to their IT professionals are long gone. No executive can fail to be aware of the mounting toll data theft, virus and worm attacks and other security intrusions are taking on corporations struggling to keep up with the army of cyber villains intent on exploiting their technical knowledge to inflict maximum damage whenever and wherever they can.

In 2003 alone, the Australian Computer Crime and Security (AusCERT) Survey shows, 42 percent of corporations fell victim to one or more computer attacks that harmed the confidentiality, integrity or availability of network data and systems. Financial fraud, laptop theft and virus, worm and Trojan infections caused real losses, yet a dismal 11 percent of respondents felt they were managing all computer security issues reasonably well. This should worry those at the top, since all executives could find themselves potentially liable in the event of a catastrophic security breach.

Experts warn that increasingly, executives must consider themselves chief information security officers, and recognize that as with any other cause of business disruption, if IT security adversely interrupts business it is, ultimately at least, their responsibility.

Following are some of the things all executives must know, and some questions they all must ask.

You Are Where the Buck Stops

While no court in the land is likely to find you personally liable should your corporation choose the wrong firewall, liability for IT security is governed by precisely the same sorts of principles that govern individual liability of directors and officers for any failure to carry out their duty. It might take a significant failing in your duty to act in the interests of shareholders under sections 180 and 181 of the Corporations Act for you to be found culpable, says Sydney-based IT lawyer Chris Wood, but the risk is always present.

"IT security is a significant enough problem for business that if executives completely ignored it, they'd leave themselves exposed to claims by shareholders," Wood says. "In an extreme case of neglecting the issue of IT security, directors could have an exposure personally, because it might be said that they have gone so far down the track in breaching their duty to the shareholders that they create a personal liability."

Taking responsibility means being prepared to talk frankly to customers about any attack. In the US, the new California Cyber Security Law requires any corporation suffering a cyber attack to notify their customers, and other states in the US are looking at implementing similar laws. Likewise, says Invisus president James Harrison, new US federal laws regulating certain industries, including health-care and banking and finance, impose similar requirements. Not only must any Australian company eager to do business in the US take note, Australian law is likely eventually to follow suit.

Australian firms that choose voluntarily to ensure their security practices conform to the growing international standard ISO-17799 will have an easier time doing business abroad.

You need to make security an everyday part of IT, from daily operations, through design and architecture, policies, practices, configurations, event tracking and response, to training awareness and to driving improved risk-based metrics. Your entire management team must recognize that information is not just an IT matter, but a business matter, and therefore each business unit owner must understand how they contribute to the overall success of information security through simple, easy to implement security practices that benefit the company overall, says TrueSecure Asia Pacific vice president of operations Philip Dewar.

Page:

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Aberdeen Group, ACT, AusCert, Avanade, Billion, CERT, CompTIA, Computing Technology Industry Association, Deloitte Touche Tohmatsu, Deloitte Touche Tohmatsu, Exposure, HIS Limited, Information Resources, ISO, Sigma

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Latest Blog Posts
Whitepapers
  • BI Optimisation: Building a Better Business Case for Business Intelligence
    "Business Intelligence helps you make better decisions." This is how the business value of Business Intelligence (BI) is often described. How do you measure the effect of better decisions? How do you determine the quality of a decision to start with? And how can you predict how other decisions might have played out? Read on.
    Learn more »
  • The Case for Real-Time Networking
    CIOs are facing several powerful trends and inflection points that are defining the new IT landscape, including cloud computing, virtualization, the consumerization of IT, smart computing, and communications to collaboration. Taken individually, each one of these trends will have significant ripple effects throughout the planning and operations of IT network infrastructure. In aggregate, they will have an even more dramatic impact on the way that future network architectures need to be planned and designed. Read on.
    Learn more »
  • Cost Effective Security and Compliance with Oracle Database 11g Release 2
    Information ranging from trade secrets to privacy related information has become the target of sophisticated attacks from both sides of the firewall. Protecting data now requires a strategy that enables both preventive and detective controls. Read on.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments

HP and IDG news, product videos and resources