CEOs Failing to Grasp Information Security Risk

Despite a continuing string of high-profile information security breaches, many organizations’ leadership teams still have a very poor understanding of their own susceptibility to similar failures, asserts a research note from leading analyst Ovum.

In his frank analysis of the security sector, Ovum’s chief analyst for enterprise IT Tim Jennings believes that most businesses will have the appropriate security solutions in place, and can point to malware detection, firewalls, email security measures, identity and access management, security intelligence, and any number of other elements designed to militate against attack.

Yet he argues that there is a lack of planning regarding how to react when these events occur. Moreover, he suggests that because the majority of security breaches are attributable to failure of process, rather than of technology, organizations need to take an end-to-end, business-focused view of their security planning and response.

“It is interesting to compare the ways in which we treat financial and information resources within our organizations,” Jennings said. “The CFO has an absolute mandate to put in place the checks and controls that ensure financial resources are monitored and accounted for to the last penny. This culture is second nature to all employees, in that we know that accurate billing must take place, expenses must be accounted for, and the defined procedures are followed to the letter.”

“Contrast this with the way that information is treated in most organizations. There is rarely anyone with a clear mandate at a senior level to manage and safeguard information, and very few controls in place that monitor information in any way that mirrors these financial processes. The security measures attempt to erect fences, but they don’t track what happens to the assets that sit behind them. This is somewhat akin to locking the till, but never bothering to count what is in it.”

In a call to action, Jennings urges CEOs and executive boards to ensure that information security is consistently on their agenda, and that there is a clear mandate at a senior level to assess risk, report status, and respond to incidents.

He called on organizations to put greater emphasis on the value of information assets and the processes in place to protect them, as well as the awareness of these controls by all employees and stakeholders. By reporting swiftly, accurately, and simply on the status of these assets and their controls at board level, they would get a clear picture of information security risk and response in the context of business operations.

What’s Hot on Infosecurity Magazine?