Take my security, please . . .
Can someone please tell me why the IT department has responsibility for IT security? Stop and think. Do the marketing and accounting departments have responsibility for the physical security of office buildings? The guards and locks that restrict access to most companies' premises are there to protect confidential financial and sales data, but that security is amortized across the various operating units of a business. Why isn't this the case when it comes to the security of the online information resources?
It seems everywhere you turn in IT at the moment you're confronted by the importance of security. It dominates conferences and seminars. A healthy percentage of the adverts in industry publications press home security's importance. It's taking up an increasing proportion of the IT budget. IDC is forecasting a compound annual growth rate of nearly 17 percent in security solutions spending in Australia and New Zealand between now and 2008. While some security vendors may be salivating at the increase in sales these numbers suggest, there is a strong danger that unless this investment is separated from the IT budget CIOs run the risk of shooting themselves in the foot.
This was brought home to me recently when I reviewed the results of last year's AusCERT Computer Crime and Security survey. The evidence strongly supports a need to be vigilant about IT security. Between the 2003 and 2004 studies there was an increase in the number of respondents stating they had experienced an electronic attack on their IT system in the last 12 months. Moreover, the average cost of these attacks is escalating. The average loss in organizations that were able to quantify the damage increased 20 percent between the 2003 and 2004 surveys and now stands at $116,212.
Yet hidden in the survey is the fact that these problems are much more to do with culture than they are to do with technology. Around 65 percent of respondents said the biggest challenge their organization faced with IT security was constantly changing personnel attitudes and behaviour. Similarly, 85 percent believed their organizations needed to do more to educate staff on IT security. A further 43 percent reported a lack of senior management understanding of the issues to do with IT protection. IDC's research in the US reported similar findings. Of those organizations with over 1000 staff, nearly half would spend a larger IT security budget on general training.
To me this all suggests that the CIOs are taking responsibility for something that is beyond the scope of their portfolio. Just because IT security involves IT does not mean that the CIO should take stewardship of the issue. If business takes no responsibility for the task at hand, the CIO is left in a no win situation; they'll be blamed for any problems and resented because they control a bigger budget to address those very same problems. The CIO will become the convenient whipping boy or girl for all the business failings on IT security.
If, as the AusCERT results suggest, effective IT security requires cultural change across the organization, then surely that is a task that falls to human resources. Why not consolidate IT security under the overall organizational task of security? The person doing that job will undoubtedly need to be conversant with IT security issues. They may even be from the IT department. However, they shouldn't be based there and they should be separately funded.
Only then will it be possible to view IT security as a component of overall business risk management, for which all employees share a responsibility. The business can then take a collective decision on risk management around IT and CIOs can get back to work on the multitude of other issues that require their attention.
Peter Hind is a freelance consultant and commentator with nearly 25 years experience in the IT industry. He is co-author of The IT Manager's Survival Guide and ran the InTEP IS executive gatherings in Australia for over 10 years. He can be reached on launchpadmktg@optusnet.com.au
E-Commerce 101: An Enterprise Guide to E-Commerce
CRM 101: An Enterprise Guide to Customer Relationship Management
SAP slashes NetWeaver developer subscription price
Blog: Cloud Computing: Salesforce.com Barks, But Can It Bite Oracle from Behind?
With Dynamics, Microsoft's ERP and CRM Business Apps Go Head-to-Head with Oracle and SAP
Read up on the latest ideas and technologies from companies that sell hardware, software and services. - White PaperWhat you don’t know can destroy your business. It’s hard to imagine modern business without the internet but in the last few years it has become fraught with danger. Read on to discover how internet security can give your business a competitive advantage.
- White PaperYour organisation may well have devised and implemented an Acceptable Use Policy (AUP) some time ago in order to guard against the risks of inappropriate use of computer systems by your workers, but are you confident that your AUP remains 'fit for purpose'? Read on to discover how you can enhance the effectiveness of your AUP.
- White PaperJoin industry expert Martin Tuip to discover best practice strategy for the archival and removal of .PST files using email archiving. Learn how to ensure long-term email records are there when needed, and reduce the risk to your business and clients.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
CIO Live Podcast #79: Brent D Taylor, author of The Outsider's Edge: The Making of Self-Made Billionaires Part II 05 October, 2007 06:00:00
For his new book, The Outsider's Edge: The Making of Self-Made Billionaires, social researcher Brent D Taylor spent four years of intensive research investigating the psychological make-up and backgrounds of some of the world's richest men and women, including IT luminaries Bill Gates, Larry Ellison and Steve Jobs. Taylor discovered that, despite working in different industries and coming from different upbringings, they all have one thing in common -- they are all outsiders. - +
CIO Live Podcast #78: Brent D Taylor, author of The Outsider's Edge: The Making of Self-Made Billionaires 28 September, 2007 17:34:25
For his new book, The Outsider's Edge: The Making of Self-Made Billionaires, social researcher Brent D Taylor spent four years of intensive research investigating the psychological make-up and backgrounds of some of the world's richest men and women, including IT luminaries Bill Gates, Larry Ellison and Steve Jobs. Taylor discovered that, despite working in different industries and coming from different upbringings, they all have one thing in common -- they are all outsiders. - +
CIO Live Podcast #77: Panasonic Speeds Up Trans-Pacific File Transfers, Part III 21 September, 2007 07:00:00
Part three in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance. - +
CIO Live Podcast #76: Panasonic Speeds Up Trans-Pacific File Transfers, Part II 14 September, 2007 07:00:00
Part two in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance. - +
CIO Live Podcast #75: Panasonic Speeds Up Trans-Pacific File Transfers, Part I 07 September, 2007 07:00:05
Part one in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance.
- +
Chris Hoff on Virtualization and Cloud Computing 20 November, 2008 10:55:00
Chris Hoff, chief security architect for the systems and technology division at Unisys and an advisor on the Skybox Security customer advisory board, is one of the biggest critics of virtualization security out there. Not because it isn't important - but rather because it is vital and needs to mature rapidly. - +
Cybersecurity is focus of new start-up incubator 20 November, 2008 07:19:00
Texas uni announces the Institute for Cyber Security.The University of Texas at San Antonio Tuesday announced a technology incubator aimed at fostering IT security-based start-ups within the state. - +
Dilip Sarangan on Physical Security M&A 20 November, 2008 11:18:00
Dilip Sarangan tracks physical security companies for Frost & Sullivan. He expects the industry's "need to have" products to weather the economic storm well, with the big players (now including IBM and Cisco) looking for value-priced acquisitions. - +
International Challenges in PCI Security 20 November, 2008 09:15:00
In a country that's seen many regulatory compliance challenges this decade, the headaches of PCI security tend to be analyzed from a largely American perspective. - +
PCI council sharpens oversight of security auditors 19 November, 2008 10:53:00
Quality assurance plan targets security assessors and scanning vendorsThe PCI Security Standards Council Monday unveiled a plan to sharpen oversight of the hundreds of security-service providers now authorized to evaluate merchant networks under the organization's Payment Card Industry data standards.
Vignette Announces 2008 Excellence Awards 21 November, 2008 10:50:00
PGP and Ponemon Institute Unveil Inaugural Australian Data Breach Study 2008 20 November, 2008 17:34:00
Symantec Cloud Services Transform Data Centre Operations Through Proactive Management 20 November, 2008 12:06:00
Verizon Business Offers Tips to Building a Successful Unified Communications and Collaboration Plan 20 November, 2008 12:04:00
AARNet Brings 4K Digital Cinema to Australia: First 4K HD Video Signal delivered into Australia by AARNet 20 November, 2008 12:02:00
|
||
|
||
|
|
||
|
The CIO Executive Council Guide to Success
The CIO Executive Council discusses how to be the best CIO you can be. Download this 16-page strategy guide to discover how to sharpen your commercial instincts, engage business executives and much more.
Buying Guides
Latest Products
Buying Guides
