News

01:15 PM
Connect Directly
LinkedIn
Google+
Twitter
RSS
E-Mail
50%
50%

InformationWeek Analytics: Security At The Halfway Point

Regulations are driving high levels of security cooperation among IT directors and C-level executives. It's a good start, but the next step must be to move from "compliance" to effective risk management.

InformationWeek AnalyticsFrankly, we expected fireworks. We developed this InformationWeek Analytics survey under the premise that IT management is seething with resentment over executives' neglect of security. When we sliced the responses of IT managers and C-level business leaders, we figured executives would provide politically correct responses, but IT would tell the dirty truth: That security operations are underfunded, information security priorities are sidelined by the business, and top management has little interest in what the security group is up to.

Boy, were we surprised. IT directors and managers are remarkably aligned with C-level execs across a broad range of infosec issues, from threat vectors to security's role in business decisions. A large majority say executives demonstrate meaningful support for security (see chart, "Execs Get It", below).

The level of agreement had us looking for answers why, and the survey data points strongly to a single source: regulations. Industry and government compliance mandates are cited as the top influence on information security programs. It seems government and industry regulations have achieved what security evangelists couldn't: making security a priority at the highest levels of the enterprise. That's a good start, but it's not enough.

Security Maturity
In an ideal world, companies would exercise due care with all sensitive data. But then, we'd no longer need SB 1386, the California law that requires companies to publicly disclose the exposure of customers' personal information, or the PCI Data Security Standard, a program of sensible, even remedial, security controls for companies that process and store credit cards.

The fact is, when it comes to security, companies often behave like obtuse or careless children. Compliance programs are tangible reminders that if you play the fool, you'll pay the price. Companies that fail to meet requirements face a variety of unpleasant outcomes. But while compliance programs have helped raise awareness among top executives, they don't address two complex and interrelated issues. First, compliance and security aren't always equivalent. Companies can get a gold star from a PCI assessor for checking all the boxes, while malware on a key server quietly shuttles credit card data to a criminal gang in Eastern Europe.

Second, compliance programs tend to create a dynamic that undercuts the original intent of the regulations, to protect systems and reduce the chances data will be stolen or misused. That implies an understanding of the risks a company faces and the daily application of rigorous processes and procedures to address those risks. But the operational effect is that, when faced with compliance mandates, companies ask, "How can I meet these requirements with the least effort, cost, and amount of change to the way we do things?" This is like switching from Oreos to SnackWell's--it's fewer calories, but it still ain't vegetables.

Get the full-length
Analytics Report at:
cxoreport.informationweek.com
And the next hurdle will be even harder--to get organizations to evolve from a compliance-centric mentality to a security program built around clear-eyed risk assessment and the measures appropriate to meet those risks.

There's a foundation for this evolution. Respondents reported the second-greatest influence on their security programs is the threat and risk assessments conducted by their security teams. Tune in next year to see if we're making progress.

chart: Execs Get It:  Do executives at your company demonstrate support of information security as a corporate prioritythrough active leadership, sufficient budget, or other methods?

Comment  | 
Print  | 
More Insights
Audio Interviews
Archived Audio Interviews
This radio show will provide listeners with guidance from Dell Storage experts, who can help you explore ways to simplify workload management while achieving a balance of price and performance.
Slideshows
White Papers
Register for Network Computing Newsletters
Current Issue
2014 State of Unified Communications
2014 State of Unified Communications
If you thought consumerization killed UC, think again: 70% of our 488 respondents have or plan to put systems in place. Of those, 34% will roll UC out to 76% or more of their user base. And there’s some good news for UCaaS providers.
Video
Twitter Feed
Cartoon