Upcoming Events

Executive conference

Cloud Connect March 16-18

Comprehensive thought leadership for executives, IT professionals and developers. Topics include: the ROI, cost and economics of on-demand computing; Migration strategies to move from on-premise to cloud-based IT; Vertical cloud specialization, tailoring features and architectures to specific applications, industries, and customer ecosystems

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up
Security Watch
C O L U M N  
In Need of a New Deal

  April 29, 2002
  By Greg Shipley

TOC Issue TOC
Printer Print full article
E-Mail E-Mail this URL

Being a computer-science major in college was about as uncool as it got. My classmates and I were geeks in training: Our course work was loaded with math and science. We spent our weekends tweaking algorithms and the rest of the time in front of terminals prepping for post-graduate life... when we'd spend most of our time in front of terminals.



The business school always seemed more hip to me, though I never missed the chance to poke fun at what I thought was a far worse major -- accounting. No matter how many weekends I spent in a lab cluttered with hardware and empty pizza boxes, I was always grateful I'd never be a bean counter. How times change.

Now I look at bean counters with envy. Yes, even in a world where Enron dominates the headlines and shredders are referred to as Andersenizers, facets of the accounting industry appeal to me. The infosec arena can't hold a candle to the accounting industry's acceptance and maturity.

As a security practitioner, it's hard not to be jaded. Ask any information security veteran about his or her efforts, and you'll likely get your ear chewed off on topics like "lack of upper management buy-in," "ignorance among IT staff," "refusal to admit problems," "vendor stupidity," "having your hands tied behind your back" and, dare I say it, "information anarchy." Truth be told, it's hard to succeed when you're working the information security beat in a large enterprise environment. The system and networking folks view security as a timely but annoying task. Helpdesk folks hate hurdles and users don't like restrictions. Then you have internal legal teams. If you're lucky, there's a technology-savvy lawyer in-house, but a lawyer who can keep up with our rapidly evolving cyber laws is rare.

Unfortunately, the real PITA (pain in the ass) is usually upper-level management. That's where the accounting industry has security beat hands-down. Both business executives and board members understand financial audits. They understand the need for outside reviews. They understand separation of duties, checks and balances, and control -- when they concern accounting. But they approach information security with a different attitude -- if they approach it at all.

Somehow information security efforts are supposed to succeed with limited outside help. Information security efforts are supposed to be effective though they're often implemented within only one organizational unit. And information security efforts are supposed to be executed efficiently with no involvement from upper management. There are no controls, no separation of duties and no budgets to ensure that the risks surrounding the company's electronic assets are being managed. Nobody questions IT's value in modern business, but the concept of audit is magically exempt from the model.

As a consultant, I've seen the organizational models of many information security efforts -- and I've been shaken. Few information security efforts exist outside of IT and fewer still have an IT component along with a technical audit component outside of IT. Information security is still seen as an IT issue, much like Unix or network administration.

In Ernst & Young's 2002 information security survey, you'll find a list of questions regarding information "security governance." Perhaps the most noteworthy part of this list is not its content but its designated audience: the board of directors. These questions should be answered at the "boardroom level." No surprise that an accounting firm sees a parallel between financial audit and security audit.

It took President Franklin D. Roosevelt and the Great Depression to get the SEC and strong financial audit controls jump-started. What will it take to get our industry going? Maybe a renewed interest in strong audit practices and controls in the accounting world will spill over into information security. Or maybe tactical security efforts will finally receive the strategic reinforcements they need. Until then, practitioners should keep their heads up and their minds limber, continue doing their best with the ridiculously limited tools they have ...and keep hoping.

Send your comments on this column to Greg Shipley at gshipley@neohapsis.com.


Best of the Web

Data deduplication: Declawing the clones

Data deduplication is emerging as a critically important new arrow in the storage administrator's quiver to answer hard questions about the increasing problem in storage growth costs.

Quick Read

Compression, Encryption, Deduplication, and Replication: Strange Bedfellows

One of the great ironies of storage technology is the inverse relationship between efficiency and security: Adding performance or reducing storage requirements almost always results in reducing the confidentiality, integrity, or availability of a system.

Quick Read

WAN Optimization Whitelists and Blacklists

Optimization is a fantastic way of saving money and creating really happy customers at the same time, but it doesn't work flawlessly for all applications.

Quick Read

WAN Optimization as a Managed Service: It's Not About the Cost

This insight examines how organizations outsourcing their WAN optimization initiatives to a third-party go about achieving their goals for application performance, reducing operational costs, and streamlining enterprise infrastructure.

Quick Read

  Sponsored Links

Premium Content

Data Centers Gone Wild
February 22, 2010

NWC


Salary

Video