Frankly, we expected fireworks. We developed this InformationWeek Analytics survey under the premise that IT management is seething with resentment over executives' neglect of security. When we sliced the responses of IT managers and C-level business leaders, we figured executives would provide politically correct responses, but IT would tell the dirty truth: That security operations are underfunded, information security priorities are sidelined by the business, and top management has little interest in what the security group is up to.
Boy, were we surprised. IT directors and managers are remarkably aligned with C-level execs across a broad range of infosec issues, from threat vectors to security's role in business decisions. A large majority say executives demonstrate meaningful support for security (see chart, "Execs Get It", below).
The level of agreement had us looking for answers why, and the survey data points strongly to a single source: regulations. Industry and government compliance mandates are cited as the top influence on information security programs. It seems government and industry regulations have achieved what security evangelists couldn't: making security a priority at the highest levels of the enterprise. That's a good start, but it's not enough.
In an ideal world, companies would exercise due care with all sensitive data. But then, we'd no longer need SB 1386, the California law that requires companies to publicly disclose the exposure of customers' personal information, or the PCI Data Security Standard, a program of sensible, even remedial, security controls for companies that process and store credit cards.
The fact is, when it comes to security, companies often behave like obtuse or careless children. Compliance programs are tangible reminders that if you play the fool, you'll pay the price. Companies that fail to meet requirements face a variety of unpleasant outcomes. But while compliance programs have helped raise awareness among top executives, they don't address two complex and interrelated issues. First, compliance and security aren't always equivalent. Companies can get a gold star from a PCI assessor for checking all the boxes, while malware on a key server quietly shuttles credit card data to a criminal gang in Eastern Europe.
Second, compliance programs tend to create a dynamic that undercuts the original intent of the regulations, to protect systems and reduce the chances data will be stolen or misused. That implies an understanding of the risks a company faces and the daily application of rigorous processes and procedures to address those risks. But the operational effect is that, when faced with compliance mandates, companies ask, "How can I meet these requirements with the least effort, cost, and amount of change to the way we do things?" This is like switching from Oreos to SnackWell's--it's fewer calories, but it still ain't vegetables.
And the next hurdle will be even harder--to get organizations to evolve from a compliance-centric mentality to a security program built around clear-eyed risk assessment and the measures appropriate to meet those risks.
There's a foundation for this evolution. Respondents reported the second-greatest influence on their security programs is the threat and risk assessments conducted by their security teams. Tune in next year to see if we're making progress.