Battling the Information Security Paradox

Tuesday, June 22, 2010

Anthony M. Freed


Information security is still not garnering appropriate attention from the executive level at some of the largest companies in the world, many of whom are engaged in business activities considered critical to the nation's infrastructure.

According to an article in InformationWeek, "more than half of Fortune 1000 companies lack a full-time chief information security officer, only 38% have a chief security officer, and just 20% have a chief privacy officer. As a result, a majority of companies are failing to adequately assess and manage the risks that information security and privacy issues pose to their business," as quoted from Cylab's Governance of Enterprise Security study for 2010.

With the seemingly exponential increase in threats that range from criminal enterprise to mischievous script-kiddies - combined with insider threats amplified by a struggling economy and an increase in regulatory compliance demands - one has to wonder why information security is not being given proper credence.

"According to the report's author, Jody Westby, who's CEO of Global Cyber Risk and a distinguished fellow at CyLab, "the survey results indicate that boards and senior executives need to be more actively involved in the governance of the privacy and security of their computer systems and data," the article continued.

True, but a willing detachment from the complex legal issues or highly technical and often jargon-laden nuts and bolts of data security initiatives is probably only one of many causes for boardroom malaise.

Some of the blame also rests with the Information Security Paradox, in which the performance of security efforts is often inversely proportional to the health of the budget for such endeavors. That is to say, the better job one does preventing major information security events from occurring, the harder it is for one to justify a budget, let alone an increase to said budget.

It is not that the boardroom does not understand risk - they live and breathe risk on a daily basis. What the boardroom does not understand is mitigation of risk when it comes to information technology.

The lack of a serious security event simply reinforces their instinctual notion that risk associated with information systems can be controlled, and that controlling "costs" is paramount when it comes to non-revenue generating expenditures (otherwise known to IT departments as "resources").

What the boardroom needs to understand is that sometimes their data was safe only because they had a first-rate security team with lots of support from management, and sometimes their data was safe simply because no one tried hard enough to get it.

And what about when someone does decide to really try? It is probably safe to assume the 60% of the Fortune 1000 companies surveyed who do not have a CSO or equivalent have never experienced a serious data loss event - or they still don't realize one has taken place.

(Un)fortunately, another aspect of the Information Security Paradox is that nothing provokes a sharp budget increase like a really expensive, publicly embarrassing, and professionally damaging information security event.

Information security risks can not be controlled, but they can be made predictably benign if the right people are given the right tools, including the confidence and support of those at the corporate helm.

Enterprise Security Security Awareness
Post Rating I Like this!
Elias Psyllos In a world where the "paper trail" is dying out quickly and being replaced by digital means, companies have not taken the necessary precautions to protect there data. I work within the Digital Forensics arena and see this on a daily basis. It is much easier to steal information in digital form, as there are more avenues available in doing so. The article doesn't surprise me the least. Think about it this way, if someone wanted to take a copy of a confidential document in paper form, they would have to physically have access to that document, then they would have to photocopy the document, and then place the original back without being noticed. In the digital world someone could simply put a USB thumb drive into the computer, copy the document and paste it onto the thumb drive, and walk away. For those who know what they are doing, they don't even have to be physically present to have access to the document, they can remote into the computer, via the internet, and simply copy, delete, alter, etc. the document. I am Sr. Forensic Investigator for a Digital Forensics company, so I see this on a daily basis. There are ways to protect digital data, and there are ways to ensure that information is truly deleted before throwing a computer out or sending a copy machine back to the leasing agent. There is a list of items that contain records of all documents that have gone through it. A few to mention are scanners, printers, copiers, and fax machines. All have means of obtaining data off of, which can be used for identity theft, leaking of proprietary information, etc. There are means to protect yourself and your company against such instances which were mentioned in the article. Feel free to reach out to me if you would like to learn ways to protect your data, or would like to inquire about my companies services in doing so.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.