The IT Security Buck Stops Here

Experts warn that increasingly, executives must consider themselves chief information security officers, and recognize that as with any other cause of business disruption, if IT security adversely interrupts business it is, ultimately at least, their responsibility.

Sue Bushell (CIO)
10 May, 2004 11:58
Comments

Page:

1
2
3
4
5
next >

Need to convince corporate leaders with objective measures of security's value? Start here.

US President Harry S Truman said in his farewell address in 1953: "The President has to decide. He can't pass the buck to anyone." Now that's an adage all executives might consider carving into their desks (if not their very souls) as the torrent of cyber attacks continues to highlight corporate vulnerability to IT security threats.

The days when executives could profess ignorance and happily pass all responsibility for security to their IT professionals are long gone. No executive can fail to be aware of the mounting toll data theft, virus and worm attacks and other security intrusions are taking on corporations struggling to keep up with the army of cyber villains intent on exploiting their technical knowledge to inflict maximum damage whenever and wherever they can.

In 2003 alone, the Australian Computer Crime and Security (AusCERT) Survey shows, 42 percent of corporations fell victim to one or more computer attacks that harmed the confidentiality, integrity or availability of network data and systems. Financial fraud, laptop theft and virus, worm and Trojan infections caused real losses, yet a dismal 11 percent of respondents felt they were managing all computer security issues reasonably well. This should worry those at the top, since all executives could find themselves potentially liable in the event of a catastrophic security breach.

Following are some of the things all executives must know, and some questions they all must ask.

You Are Where the Buck Stops

While no court in the land is likely to find you personally liable should your corporation choose the wrong firewall, liability for IT security is governed by precisely the same sorts of principles that govern individual liability of directors and officers for any failure to carry out their duty. It might take a significant failing in your duty to act in the interests of shareholders under sections 180 and 181 of the Corporations Act for you to be found culpable, says Sydney-based IT lawyer Chris Wood, but the risk is always present.

"IT security is a significant enough problem for business that if executives completely ignored it, they'd leave themselves exposed to claims by shareholders," Wood says. "In an extreme case of neglecting the issue of IT security, directors could have an exposure personally, because it might be said that they have gone so far down the track in breaching their duty to the shareholders that they create a personal liability."

Taking responsibility means being prepared to talk frankly to customers about any attack. In the US, the new California Cyber Security Law requires any corporation suffering a cyber attack to notify their customers, and other states in the US are looking at implementing similar laws. Likewise, says Invisus president James Harrison, new US federal laws regulating certain industries, including health-care and banking and finance, impose similar requirements. Not only must any Australian company eager to do business in the US take note, Australian law is likely eventually to follow suit.

Australian firms that choose voluntarily to ensure their security practices conform to the growing international standard ISO-17799 will have an easier time doing business abroad.

You need to make security an everyday part of IT, from daily operations, through design and architecture, policies, practices, configurations, event tracking and response, to training awareness and to driving improved risk-based metrics. Your entire management team must recognize that information is not just an IT matter, but a business matter, and therefore each business unit owner must understand how they contribute to the overall success of information security through simple, easy to implement security practices that benefit the company overall, says TrueSecure Asia Pacific vice president of operations Philip Dewar.

Page:

1
2
3
4
5
next >

Bookmark this page
Share this article
- facebook
- slashdot
- digg
- Reddit
- stumbleupon
- linkedin
- twitter
Got more on this story? Email CIO
Follow CIO on twitter

More about: Aberdeen Group, ACT, AusCert, Avanade, Billion, CERT, CompTIA, Computing Technology Industry Association, Deloitte Touche Tohmatsu, Deloitte Touche Tohmatsu, Exposure, HIS Limited, Information Resources, ISO, Sigma

Comments

Post new comment

Share
Share this article
- google+
- facebook facebook
- slashdot slashdot
- digg digg
- Reddit Reddit
- stumbleupon stumbleupon
- linkedin linkedin
- twitter twitter
print
email
Bookmark

Related Whitepapers

Latest Stories

Community Comments

"Ich kenne einige Leute, die aus Kanadakommen. Eines Tages werde ich auch ..."

Australia's first 4G smartphone is the HTC Velocity 4G
"Actually when someone doesn't know then its up to other visitors that ..."

Swedish e-commerce startup's execs linked to NYC sex crime
"Hi to all, how is everything, I think every one is getting ..."

Face Time - Interview with John Brennan and Robert DiStefano
"I am truly thankful to the owner of this website who has ..."

How to implement next-generation storage infrastructure for Big Data
"hwjae , click here http://www.breastenhanceproduct.org/how-to-benefit-from-herbal-breast-enhancements"

Pfizer's Future Depends on IT Transformation

Latest Blog Posts

Whitepapers

Key Considerations in Modernising Your Backup and Deduplication Solutions
There is a definite need for better data backup solutions in today’s enterprise data centers. The question is whether to continue with software-only backup and deduplication solutions, or to make the move to a purpose-built backup appliance with deduplication capabilities. This paper provides a structured approach to assessing the advantages of the appliance model. Read this whitepaper.

Learn more »
Traditional Backup is Dead - Are you prepared?
Conventional backup and recovery approaches clearly can't keep up with ever-growing storage rates. It's time to take on a new strategy.

Learn more »
Shedding Light on Backup and Availability Challenges in Virtual Environments
This IDG white paper explores specific backup and availability challenges organisations must surmount as they move to virtualise their business-critical applications. It then shows how attaining proper service levels for these applications requires a high degree of visibility into the VMware virtual environment.

Learn more »

All whitepapers

Most Read
Most Commented

Get exclusive access to Invitation only events CIO, reports & analysis.

Latest Jobs

Zones

Featured Whitepapers

Information Security Policies, Standards and Procedure

As a result of the adjustments in the way business is conducted, ownership of information does not carry the same clear accountability it once did. Physical and behavioural boundaries used ...

The IT Security Buck Stops Here

You Are Where the Buck Stops

Comments

Post new comment

Building trusted relationships

Planning your IT career

Taking the risk out of diversity

5 open source help desk apps to watch

NBN Co focuses on continuous delivery to meet its deadlines

How to create a clear project plan

5 open source billing systems to watch

10 Tips for Dealing with a Bully Boss

Face Time - Interview with John Brennan and Robert DiStefano

Pfizer's Future Depends on IT Transformation

All Systems Down

IT service management going social

Australia's first 4G smartphone is the HTC Velocity 4G

HP Business Efficiency - Money Payback Guarantee Resource Centre

The Australian Cloud

Information Security Policies, Standards and Procedure

The Pathways ICT Leadership Development Program Brochure and Curriculum 2012