Analysts to CISOs: Learn about business

Analysts advise security officers to learn about their employers' businesses, not security, if they want to get ahead.

Chief information security officers (CISOs) need to learn more about the business side of the companies they work for to effectively communicate the importance of computer security, analysts said Wednesday at the Gartner IT Security Summit 2005 in London.

The relationship between business managers and IT security employees at many companies is "not very healthy at all" because of communication barriers, said Paul E. Proctor, a vice president with Gartner.

Proctor advised security managers that "The future means that you've got to care about the business."

The most effective companies have a risk management officer, a person who can ideally understand technical security issues but be able to evaluate whether it's right to invest in equipment. That subjective information can be passed along to the business side, Proctor said.

That kind of evaluation is new and foreign to many businesses; however, a handful of companies are successfully integrating the two sides, he said.

The two-day Gartner conference focuses on how IT managers can deal with a range of security issues affecting their companies, including phishing of passwords, government compliance and consumer confidence.

The threats to computer systems have become greater, as people with lower levels of computer skills are successfully causing havoc with credit card information theft and money laundering, said Jay Heiser, research vice president with Gartner.

Awareness is increasing, but businesses are overly optimistic on how robust their systems are, he said. In particular, as more services are included in operating systems, there is more opportunity for unauthorized access.

"We think it's getting better, but we don't see that Windows will be innately secure in the next five years," Heiser said.

Other threats, such as viruses, means that you can't take a machine with the Windows operating system "out of the box and expect it to survive," Heiser said.

In a separate session, Klaus Brunnstein, a professor of applied informatics at the University of Hamburg, said risks come from software that is "full of programming faults." Programs have become so complex that the security remedies for them are also complicated, and it's difficult to identify flaws, he said.

E-mails containing active code hidden in HTML (Hypertext Markup Language) or XML (Extensible Markup Language) may have hidden, malicious content the user is unlikely to see, making it difficult to evaluate the risk, Brunnstein said.

The key to solving security issues lies with both the manufacturers and companies that use the systems, said Bob Bruce, vice president of Mobile Solutions for Nokia Enterprise Solutions.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about GartnerNokia

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Jeremy Kirk

Latest Videos

More videos

Blog Posts