Take my security, please . . .
Can someone please tell me why the IT department has responsibility for IT security? Stop and think. Do the marketing and accounting departments have responsibility for the physical security of office buildings? The guards and locks that restrict access to most companies' premises are there to protect confidential financial and sales data, but that security is amortized across the various operating units of a business. Why isn't this the case when it comes to the security of the online information resources?
It seems everywhere you turn in IT at the moment you're confronted by the importance of security. It dominates conferences and seminars. A healthy percentage of the adverts in industry publications press home security's importance. It's taking up an increasing proportion of the IT budget. IDC is forecasting a compound annual growth rate of nearly 17 percent in security solutions spending in Australia and New Zealand between now and 2008. While some security vendors may be salivating at the increase in sales these numbers suggest, there is a strong danger that unless this investment is separated from the IT budget CIOs run the risk of shooting themselves in the foot.
This was brought home to me recently when I reviewed the results of last year's AusCERT Computer Crime and Security survey. The evidence strongly supports a need to be vigilant about IT security. Between the 2003 and 2004 studies there was an increase in the number of respondents stating they had experienced an electronic attack on their IT system in the last 12 months. Moreover, the average cost of these attacks is escalating. The average loss in organizations that were able to quantify the damage increased 20 percent between the 2003 and 2004 surveys and now stands at $116,212.
Yet hidden in the survey is the fact that these problems are much more to do with culture than they are to do with technology. Around 65 percent of respondents said the biggest challenge their organization faced with IT security was constantly changing personnel attitudes and behaviour. Similarly, 85 percent believed their organizations needed to do more to educate staff on IT security. A further 43 percent reported a lack of senior management understanding of the issues to do with IT protection. IDC's research in the US reported similar findings. Of those organizations with over 1000 staff, nearly half would spend a larger IT security budget on general training.
To me this all suggests that the CIOs are taking responsibility for something that is beyond the scope of their portfolio. Just because IT security involves IT does not mean that the CIO should take stewardship of the issue. If business takes no responsibility for the task at hand, the CIO is left in a no win situation; they'll be blamed for any problems and resented because they control a bigger budget to address those very same problems. The CIO will become the convenient whipping boy or girl for all the business failings on IT security.
If, as the AusCERT results suggest, effective IT security requires cultural change across the organization, then surely that is a task that falls to human resources. Why not consolidate IT security under the overall organizational task of security? The person doing that job will undoubtedly need to be conversant with IT security issues. They may even be from the IT department. However, they shouldn't be based there and they should be separately funded.
Only then will it be possible to view IT security as a component of overall business risk management, for which all employees share a responsibility. The business can then take a collective decision on risk management around IT and CIOs can get back to work on the multitude of other issues that require their attention.
Peter Hind is a freelance consultant and commentator with nearly 25 years experience in the IT industry. He is co-author of The IT Manager's Survival Guide and ran the InTEP IS executive gatherings in Australia for over 10 years. He can be reached on firstname.lastname@example.org