A recent security survey by Ernst and Young (E&Y) found there is both a lack of IT security priority in the executive suite and a lack of security awareness amongst users.
The latter, which was rated as the top obstacle to effective information security, was not even on the radar in 2003 when “budget constraints” was the top challenge.
On a more positive note, companies confident about their information security were more likely to have security buy-in at the executive level.
Though nothing in the survey stood out as a major concern for Kent Kaufield, a partner in the technology security risk services practice with E&Y in Calgary, he admitted that the results force “a little bit of a head shake” when year after year Ernst & Young has “to report the C-suite isn’t really taking security as seriously as [it] should.” Only 20 per cent of respondents strongly agreed that information security is a CEO-level priority; 34 per cent agreed, 25 per cent were neutral and 20 per cent disagreed or strongly disagreed.
For those classified as “confident respondents,” 34 per cent said they strongly agree that data security is a CEO-level priority, while 36 per cent agreed.
“All the CEOs say the right thing — security is important — but when you look at the stats, things like spending, (they’re) not spending like they say they will,” Kaufield said. “That is the disconnect that still seems to be apparent.” In fact, 61 per cent of the respondents said IT security spending will go up in 2004 and 69 per cent said 2005 will see more spending than 2004.
Numbers like this make Richard Reiner a tad suspicious of respondents’ truthfulness. “I would suppose that there is still a trend for the individual to answer these questions to put a positive rather than negative face on things,” said the CEO of FSC Internet Corp., a security solutions provider in Toronto. “By and large, I see no change in budgets.”
But Reiner said there are organizations in Canada that do a good job with IT security — financial institutions, insurance companies and telcos — and “probably don’t need to increase their info-sec spending.”
He did say, however, that the Canadian retail sector is often a different story. Recently he had a conversation with an executive from a “reasonable-sized” retailer who told Reiner his company had no one responsible for IT security, no IT security budget and no IT security policies. Reiner admits it is not common to see this lack of security in a retailer, but added “it’s not rare.”
This is decidedly not the case at the Bank of Montreal. Robert Garigue, the bank’s chief information security officer, said the key to success is for companies to move away from an infrastructure security culture, where the means of control is focused on firewalls and other technology, to a culture of info-security, where information is the key component.
“Security now has to be recast around the content,” he said, since “the nature of the problem has changed…(and) there is a difficulty in defining where the internals are.”
Because of this it is difficult for companies operating in an interconnected world to figure out where the boundaries are, he explained. Are partners and clients on the inside, outside or in some ill-defined area in between? So when Garigue and other financial services security folks get together, the talk is not about antivirus and firewalls rather about “common data classifications” so information moved within a bank or between banks has a consistent level of security surrounding it.
Kaufield said new regulatory compliance like Sarbanes Oxley is forcing companies to re-examine their security policies. “It has really pushed accountability to the CEO and CFO…(so) it brings IT issues to the forefront…and (dictates) who is responsible for security,” he said.
Garigue agreed with Kaufield but said companies need to “operationalize” compliance so data moving across the value chain is protected in a consistent manner. The focus should not be on technology solutions, rather “business models,” he said.
Garigue also found it surprising that the top security concern (77 per cent of respondents) was major viruses, Trojans or Internet worms. “Quite honestly, that is not where (my) concerns are,” he said. “If you are in an organization that has a certain amount of maturity, those are being addressed by [information technology] processes” built into the corporate security model and not necessarily a C-level concern.
Additionally, a “very disturbing” disconnection, Kaufield said, was the fact that only 53 per cent of the global respondents said their employees get continuous training in security even though user security awareness was said to be the number one obstacle to effective information security.
More than 1,230 organizations participated in the survey. The majority (55 per cent) of respondents did not classify themselves as C level executives, though of the 45 per cent who were, about half of them were chief security or information security officers.
Financial (17 per cent) and manufacturing (15 per cent) represented the two largest respondent groups. E&Y has been doing the survey since 1993.