Information Security, Availability and the Board of Directors
By Tom Schmidt
For its 2006 "State of the CIO" study, released earlier this year, CIO Magazine surveyed 545 executives in charge of IT from a broad range of industries. The study found that, for CIOs in large companies, one of the biggest barriers to doing their jobs was "demonstrating IT value." Another significant barrier: "unrealistic or unknown expectations" from other areas of the business.
For CIOs, the survey underscores the ongoing importance of understanding the business side of the enterprise, and of taking into account those goals when planning and executing IT purchases. Indeed, the survey found that a lack of understanding and two-way communication is a more serious roadblock than inadequate budgets, highlighting the importance of aligning business goals and IT.
In light of such findings, what can CIOs do to improve communications with, in particular, their board of directors? What steps can they take to convey the vital importance of information security and availability? This article explores some of the answers to those questions. It also looks at a tool that can help CIOs make a more informed case regarding their information security and availability investments.
The rise of cybercrime
The challenge for today's CIOs and IT departments couldn't be plainer: they must support the business goals of the enterprise by ensuring the safety and accessibility of its information assets. This they must do in the face of ever-tightening budgets, even as they are tasked with implementing new capabilities that enable the enterprise to pursue new opportunities.
At the same time, enterprises continue to be challenged by modern-day security threats. These threats change on an hourly basis, they're growing in frequency and complexity, and they originate from both inside and outside the network. Enterprises also face more rigorous regulatory pressure, dealing with internal compliance policies and federal regulations.
Given such an environment, it's essential that CIOs make the case to upgrade their security infrastructure to prevent financial losses that could occur if the network's security were to be breached. Moreover, a breach is much more likely today than it was as recently as a few years ago. That's because the threat landscape is undergoing a profound shift. As the latest Internet Security Threat Report pointed out, the new threat landscape is increasingly dominated by attacks and malicious code that are used to commit cybercrime. Attackers have moved away from large, multipurpose attacks on network perimeters and toward smaller, more focused attacks on client-side targets. That's a message the board needs to hear loud and clear.
Unfortunately, many organizations still address security issues only as they occur, tackling one problem at a time. They don't have time to remediate in an organized fashion because they're constantly dealing with "fire drills." The end results include business downtime due to attacks, inefficiencies in the patch regiment, and information lock down. That's an untenable situation for an "always on" enterprise.
What's needed is a solution that addresses the challenge of providing anticipatory protection against known, unknown, internal, and external threats while still allowing necessary information access throughout attacks and remediation. Today's enterprises require a solution that provides multi-layered, end-to-end security that assesses threats, monitors controls, shields individual applications, and protects desktops. In short, they require protection at all layers of the organization -- from gateway to client to internal network and critical systems.
Creating a dialogue
Making the case for such a solution calls for a dialogue. And starting a dialogue with the board of directors requires that a common language be spoken. Unfortunately, the "bits and bytes" of IT and the language of business tend to be mutually incomprehensible.
The dialogue can be simplified if monetary values are used to establish a common understanding of what is at risk. Traditionally, the monetary valuation of information assets has not been common in IT departments. However, driven by recent regulatory demands (e.g., Gramm-Leach-Bliley, HIPAA, Sarbanes-Oxley), there has been an increasing realization of the need to understand these assets in relation to their value to the business as a whole.
A strategic approach
Managing information has never been so challenging. Today's enterprises must simultaneously protect their IT systems from internal and external threats while allowing uninterrupted information access to authorized users.
At the same time, a shifting threat landscape has made it imperative to address information security and availability strategically, across the enterprise, rather than department by department. Indeed, certain corporate governance drivers, such as Basel II and Sarbanes-Oxley, are motivating businesses to recognize the importance of communication among all departments.
Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.
|
