Search
Advertisement

Business

Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Resilient IT / Analytics and ROI

Information Security Best Practices

By Lisa Ferri

One of the universal truths that has emerged for companies doing business in our digital age is the primacy of information security.  Put another way: you're only as good as your information is safe. Whether you're in healthcare, finance, energy or the public sector, information security has become the linchpin for every successful company. CIOs, CSOs and CISOs are the new gatekeepers of this most vital of all business initiatives, ensuring consistency and continuity across all business platforms and units.

The stakes are undeniably high. Companies are vulnerable to a host of rapidly evolving threats that stand to bring even the most conscientious companies to a screeching halt: Internet worms and viruses, phishing, spam and hackers.  Information security breaches can -- and have -- cost publicly-traded companies millions of dollars in lost market value according to the "2004 Global Information Security Report" from Ernst & Young.  In its most recent study of information security, Ernst & Young identified viruses, Internet worms, and "Trojan horses" among the top five causes of major unexpected outages of critical business systems; 68% of respondents could trace their major outages to these culprits. 

The rate of change in the information security arena is astounding; not only are the threats themselves evolving at lightning speed, but the roles of those in charge of information security are, too. This is the finding of Ernst & Young in its study, as well as that of CIO magazine, in its "The State of Information Security 2004" report: Information security has moved beyond being simply a necessary evil to becoming an area ripe for competitive advantage and increased shareholder value. As a consequence, CIOs, CSOs and CISOs should play an increasingly critical role within the organization going forward. 

There are signs that they are moving in that direction. CIO magazine's survey found that while IT budgets remained flat, the percentage of those budgets dedicated to information security rose to 11% of respondents. And more than ever, CIO found, information security executives are gaining their independence from IT departments, reporting to risk management (8%), audit (9%), legal (4%), and independent security committees (7%). But there is also evidence that there are still miles to go in the race to give information security executives the power and influence they need. Just 20% of Ernst & Young's respondents viewed information security issues as CEO-level priorities and the rate at which they reported security issues to boards of directors actually declined in 2004. 

CIO magazine's other major discovery: those companies that are doing the very best job of tending to information security needs experienced less downtime and fewer financial losses despite more frequent -- and more severe -- attacks.  In so doing, these companies are ushering in best practices that should act as guides to all companies grappling with information security issues.

What are these companies doing that others are not? First and foremost, they are thinking about information security in innovative new ways.  CIO magazine found that the average company is driven largely by the threat of litigation but that leading companies see information security as an opportunity to advance their business objectives. 

The mark of a company with optimum information security is what CIO terms the "virtuous cycle" -- a kind of information-security nirvana. These companies have strong security infrastructures -- with dedicated staffs and rigorous quarterly reviews -- which in turn breed confidence and buy-in among executives, which in turn leads to increased allocation of resources to security needs. It is this happy balance that is the secret to their security success.

Moreover, the so-called "easy answers" many companies turn to for information security needs -- like firewalls -- contributed to an emerging problem: distracted by external threats, companies are taking their eye off the ball when it comes to internal threats to their security. CIO magazine's survey revealed that, after hackers, employees (28%) and former employees (21%) were the most likely sources of attacks on a company's information system. After employees, outsourcing and external partnerships increased security vulnerabilities exponentially -- a fact most executives fail to comprehend. 

The fundamental issue is one of image -- both of information security problems themselves and the individuals charged with shoring up a company's vulnerabilities. Setting the right tone at the highest levels -- with the CEO and in the boardroom -- is critical. Framing the issues and image of information security triggers a "trickle-down" effect that raises awareness among what Ernst & Young calls a company's "strongest layer of defense": its employees.

Lisa Ferri is a freelance writer living in New York.

CIO Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Network and Infrastructure
Analytics and ROI
Strategies
Related Content

Features

View More


Metrics

View More

Fast Fact

Security incidents have increased more than 600% from 21,756 in 2000 to 137,529 in 2003.

--Carnegie Mellon
Sponsor Tools

Resources

White Papers

View More


Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Risks of Wireless Email
Playtime: 8 min 23 sec



Download | Subscribe

Copyright © 2008 Studio One Networks. All rights reserved.

© MMVIII Sacramento Television Stations Inc. All rights reserved.