Feeds

IT bosses: directors don't take security seriously

Their fault for not talking the board's language?

Next gen security for virtualised datacentres

Most IT managers believe that while their board-level superiors pay lip service to compliance and security, they don't really take it seriously, according to a survey carried out for software developer NetIQ.

The survey also revealed that 51 percent of the 218 UK companies queried still do not have the processes and procedures in place to manage risk and comply with rules such as PCI and MIFID.

Ulrich Weigel, NetIQ's security products director, acknowledged that the survey only measured the perceptions of IT and security managers, but said he was still surprised at the degree of scepticism that they showed.

With all the publicity that regulatory compliance has received, you might have expected company directors to understand the importance of IT security by now, but it seems they are as clueless as ever. However, Weigel suggested that's partly the fault of the IT department.

"IT tends to talk about the technical aspects of security, but the business manager needs to understand the risk they're running," he said. "That gets you into predictive management, and while most companies do that for systems management, very few do it from the security point of view."

Thomas Raschke, an analyst with Forrester Research, said that the gap in understanding between IT and the rest of the business tied in with his own research.

"We are currently in a time of transition, one that can make CISOs [chief information security officers] with less business-side experience acutely uncomfortable," he added. "In the interim, legacy CISOs and other security managers still struggle with gaining visibility and influence within the business."

Weigel suggested that IT managers need to learn how to discuss the security risks in financial and business terms, so they can explain that "the cost [of security] is ridiculously small compared to the cost of a breach."

They must also bring the way their departments work into line with other parts of the business, he said, for example by acquiring systems and security management and reporting tools that "connect people to processes" by turning IT activities into workflows. Not surprisingly, NetIQ sells exactly that, in the shape of its Vigilant Policy Centre.

"Systems management traditionally has well-defined workflows," he said. "The challenge is making sure those are followed and are auditable."®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.