The Register® — Biting the hand that feeds IT

Feeds

IT bosses: directors don't take security seriously

Their fault for not talking the board's language?

By Bryan Betts, 13th August 2007
  • print
  • alert

Cloud based data management

Most IT managers believe that while their board-level superiors pay lip service to compliance and security, they don't really take it seriously, according to a survey carried out for software developer NetIQ.

The survey also revealed that 51 percent of the 218 UK companies queried still do not have the processes and procedures in place to manage risk and comply with rules such as PCI and MIFID.

Ulrich Weigel, NetIQ's security products director, acknowledged that the survey only measured the perceptions of IT and security managers, but said he was still surprised at the degree of scepticism that they showed.

With all the publicity that regulatory compliance has received, you might have expected company directors to understand the importance of IT security by now, but it seems they are as clueless as ever. However, Weigel suggested that's partly the fault of the IT department.

"IT tends to talk about the technical aspects of security, but the business manager needs to understand the risk they're running," he said. "That gets you into predictive management, and while most companies do that for systems management, very few do it from the security point of view."

Thomas Raschke, an analyst with Forrester Research, said that the gap in understanding between IT and the rest of the business tied in with his own research.

"We are currently in a time of transition, one that can make CISOs [chief information security officers] with less business-side experience acutely uncomfortable," he added. "In the interim, legacy CISOs and other security managers still struggle with gaining visibility and influence within the business."

Weigel suggested that IT managers need to learn how to discuss the security risks in financial and business terms, so they can explain that "the cost [of security] is ridiculously small compared to the cost of a breach."

They must also bring the way their departments work into line with other parts of the business, he said, for example by acquiring systems and security management and reporting tools that "connect people to processes" by turning IT activities into workflows. Not surprisingly, NetIQ sells exactly that, in the shape of its Vigilant Policy Centre.

"Systems management traditionally has well-defined workflows," he said. "The challenge is making sure those are followed and are auditable."®

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

COMMENTS

House Rules Send Corrections
All Reader Comments (6)
Latest Comments
Anonymous Coward
Anonymous Coward

IT Department vs The Whole Business Community

The epic struggle of the IT department versus the business departments rages onward. However, this really isn't about technology at all. It is about "data assets" regardless of whether or not technology is utilized. When asked, "What are your most valuable assets?" - Nine out of ten will say, "My people, and my core business functions". Very few companies are able to quantify their data assets unless it's a proprietary process or a trademark secret. I've heard business managers refer to security as the "barking dog or chicken little" syndrome. Let's face it, no business owner or executive will ever take information security seriously unless the consequences of not implementing mitigation strategies out way the cost of the safeguards. Simply put, it is the cost of doing business. Put the blame where the blame belongs.

0
0
Anonymous Coward
Anonymous Coward

biz ppl...

Yet another proof of how clueless business people are. It is a shame that people with a distorted view of reality (with just knowledge of MBA's, Marketing, "Sales", and the like) are the ones ruling the world---hmm.. that explains many things...

These ppl have clever "business ideas" but know nothing about the field where those business will be...

retarded.

0
0
SImon Hobson

But everyone *knows* it an It problem ...

At least that is how it was treated at my previous employer. Not just security but a whole host of business issues (business continuity anyone ?) were conveniently labelled as "IT" issues and therefore delegated to the (already overstretched) IT dept. Oh yes, and did I mention budget ? There wasn't one !

0
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
136
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
61
Internet fraud still stings suckers
Australians twice as gullible as Americans
36
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
41
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
EU Justice Department stalls India's security clearance
Without a 'data secure destination' cert India's locked out of $30bn euro-sourcing market
17