Feeds

IT bosses: directors don't take security seriously

Their fault for not talking the board's language?

SANS - Survey on application security programs

Most IT managers believe that while their board-level superiors pay lip service to compliance and security, they don't really take it seriously, according to a survey carried out for software developer NetIQ.

The survey also revealed that 51 percent of the 218 UK companies queried still do not have the processes and procedures in place to manage risk and comply with rules such as PCI and MIFID.

Ulrich Weigel, NetIQ's security products director, acknowledged that the survey only measured the perceptions of IT and security managers, but said he was still surprised at the degree of scepticism that they showed.

With all the publicity that regulatory compliance has received, you might have expected company directors to understand the importance of IT security by now, but it seems they are as clueless as ever. However, Weigel suggested that's partly the fault of the IT department.

"IT tends to talk about the technical aspects of security, but the business manager needs to understand the risk they're running," he said. "That gets you into predictive management, and while most companies do that for systems management, very few do it from the security point of view."

Thomas Raschke, an analyst with Forrester Research, said that the gap in understanding between IT and the rest of the business tied in with his own research.

"We are currently in a time of transition, one that can make CISOs [chief information security officers] with less business-side experience acutely uncomfortable," he added. "In the interim, legacy CISOs and other security managers still struggle with gaining visibility and influence within the business."

Weigel suggested that IT managers need to learn how to discuss the security risks in financial and business terms, so they can explain that "the cost [of security] is ridiculously small compared to the cost of a breach."

They must also bring the way their departments work into line with other parts of the business, he said, for example by acquiring systems and security management and reporting tools that "connect people to processes" by turning IT activities into workflows. Not surprisingly, NetIQ sells exactly that, in the shape of its Vigilant Policy Centre.

"Systems management traditionally has well-defined workflows," he said. "The challenge is making sure those are followed and are auditable."®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.