Battling the Information Security Paradox

Tuesday, June 22, 2010

Contributed By:

Anthony M. Freed

Anthony M Freed

Information security is still not garnering appropriate attention from the executive level at some of the largest companies in the world, many of whom are engaged in business activity considered critical to the nation’s infrastructure.

According to an article in InformationWeek, “more than half of Fortune 1000 companies lack a full-time chief information security officer, only 38% have a chief security officer, and just 20% have a chief privacy officer. As a result, a majority of companies are failing to adequately assess and manage the risks that information security and privacy issues pose to their business,” as quoted from Cylab’s Governance of Enterprise Security study for 2010.

With the seemingly exponential increase in threats that range from criminal enterprise to mischievous script-kiddies, combined with insider threats amplified by a struggling economy and an increase in regulatory compliance demands, one has to wonder why information security is not being given proper credence.

“According to the report’s author, Jody Westby, who’s CEO of Global Cyber Risk and a distinguished fellow at CyLab, “the survey results indicate that boards and senior executives need to be more actively involved in the governance of the privacy and security of their computer systems and data.”

Yes, but a willing detachment from the complex legal issues, highly technical and often jargon-laden nuts and bolts of data security initiatives is probably only one of many causes of boardroom malaise.

Some of the blame also rests with the Information Security Paradox, in which the performance of security efforts is often inversely proportional to the health of the budget for such endeavors.

That is to say, the better job one does preventing major information security events from occurring, the harder it is for one to justify a budget, let alone an increase to said budget.

It is not that the boardroom does not understand risk – they live and breathe risk on a daily basis. What the boardroom does not understand is mitigation of risk when it comes to information technology.

For the full article, visit InfosecIsland