CIO Habitat
An Unpalatable Choice: Profitability or Security

One of the reasons information security attracts a disproportionate percentage of the planet's smartest people is the massive unpredictability of the discipline. Everywhere you look in the infosec space, something interesting is happening. The people, processes and technologies in this arena are constantly moving, changing and transforming.

As such, security is to trend watchers what 19th-century Paris was to Impressionists, what Washington, D.C., is to lobbyists, what water is to fish. Quite simply, it is the place to be. Everything in security is a trend, a line drawn between two points. But with security, none of the points stay still for long.

For this CIO Habitat research report, we asked 130 IT practitioners, industry experts and technology leaders some thought-provoking questions about the state of information security inside their companies, inside their industries and within society and the economy at large. Most CIOs want to believe things are getting better, which may be the phenomenon driving the rather optimistic results in "The State of Info Security" chart (see below).

But the explanations provided by those who believe security is "getting worse" or "staying the same" were eloquent and deeply thought-out. A member of the senior team at one of the world's largest distributors of pharmaceutical products explains that security issues are "getting worse because the focus is all on Sarbanes[-Oxley] compliance. Compliance, not how do we get at the fundamentals and make them better. The question is always, 'What is the cheapest way to get into compliance?'"

A CIO in the entertainment industry concurs with the compliance angst, noting that "government compliance and security are impossible to fully accomplish. [But] whatever you do, make sure you are ready to defend whatever actions you may have taken."

The CIO at a major health care insurer is also concerned but more sanguine. "I think our understanding of what security means is evolving, probably rapidly. Yes, I think we're getting better, but that bar is being continuously raised. Like the rest of society, we are trying to create a riskless society [without really] understanding the costs or how we may want to live. Overall, we're spending more on security, but I would be hard-pressed to say we are more secure."

Many have observed that senior management's almost unavoidable mental positioning is that of "security as soap opera": A new episode surfaces every day, which is perceived as economically and strategically inconsequential or distracting. It exposes public and private enterprises alike to an Iliad-like bad ending, evoking the Trojan Horse that was the ultimate security breach for the ancient city of Troy.

The challenge now appears to be how to maintain momentum and progress on what promises to be a long journey. How do we turn down the noise of the soap opera, avoid the fate of Troy and finish the security odyssey?

Shaky Faith in Information Security
Drew Westen is a professor of psychology at Emory University in Atlanta, a frequent commentator on National Public Radio and a leading expert on bias. Via extensive empirical research, he has pointed out a design flaw in the human brain. "We [humans] have a tendency to believe what we want to believe. We seek information and draw conclusions consistent with what we want to be true," he explains.

While many believe security is improving, just as many are doubtful. The CIO at a property and casualty insurer states it more strongly. "Information security? Do you mean information insecurity? Despite the industry's best efforts to secure data and information, reality proves we don't have it right yet," he says. "My credit card company just called to say that a retailer notified them that their systems were compromised and 'Your account number may have been accessed. We can't share details but will need to reissue your card with a new number.' And if it isn't concerning enough that a hacker could get my data, it's clearer than ever that my data may be at risk, because our new generation of IT professionals isn't quite as professional or disciplined as [it] once [was]. More than ever, I question how safe data really is." Another of our survey respondents, the director of security at a global energy services company, is a realist. He points out that "there is a heightened awareness, but much of it is not much more than checking boxes. We are still very insecure, as shown by [recently publicized data thefts from] LexisNexis, Discount Shoe Warehouse, Choice-Point, Wachovia [and] Bank of America." One of the smartest CIOs I have ever met understands the enormous job security really is. "I begin to wonder if I will ever have time to do what I need to do to help the company run profitably," he laments. In the mind of this accomplished, articulate CIO, it all comes down to an unpalatable choice: be secure or be profitable.

If security is to take hold, we must change that perception. We must figure out how to put those two words in the same sentence so that enterprises can become profitably secure.

Keys to Success
Industry watchers are amazed at the pace and extent to which the security industry has grown. Today, it is in excess of $100 billion globally. Paraphrasing former General Motors CEO Alfred Sloan, one can find a security product or service for every purpose and purse. But the most difficult commodity to come by today is a behavioral road map -- a path to winning the hearts and minds of executives and employees. Our respondents were quick to point out that the battle for senior management buy-in regarding security is far from over.

Every respondent believed that security practices can be improved and had suggestions for how to move the ball forward (see A CIO's Security Wish List). Success will require the same individualized diagnosis and treatment program that a good doctor gives to every patient. In brief, we need the following:

Awareness. What are the risks, economic choices or trade-offs? What resources can be allocated, and what has the organization decided to do?

Accountability. After the organization decides what to do, who is responsible for making sure it happens?

We also asked two questions about the key protagonist in the security story: What kind of person is he or she, and what kind of person does he or she need to be? (See "Face the Changes," at right.) More than one-third (35.5%) of the incumbent security leaders were identified as "geeks" and 16.5% as "guards." Are these the people with the skills to enable the enterprise to make real progress on information security?

According to our survey takers, the good news here is that the security tribe -- those who have been in the business for a long time and have historically been highly introverted -- are becoming less isolationist as security enters the mainstream of business practice.

"Information security is still an immature profession. The name itself means different things to different people," notes Vaughn L. Hazen, global network engineering project manager for Solvay Information Technologies Inc. in Houston. "The one thing I would change would be people's perception of information security. I would have the executives recognize it as a business enabler and a major part of any risk management strategy."

< PREV PAGE   |   1  |  2   |   NEXT PAGE  >

Digg This!     StumbleUpon     Del.icio.us