Advertisment

Securing information a major challenge

author-image
CIOL Bureau
Updated On
New Update

Introduction

Advertisment

The writing's on the wall for CIOs: A security breach in the organization could cost him his job. Any information security breach, people shoot at CIOs instantly. That’s the culture across all verticals in today’s business.

Need for Security

Securing the information and IT infrastructure in today’s computing environment may well be the biggest challenge faced by organizations. Not only must organizations ensure the integrity of their systems and data, but often they must also prove that their security processes and policies measure up against standards and regulations established and enforced by national standards-developing entities. In addition, the recent popularization of virtualized environments adds a new layer of complexity to the security picture.

Advertisment

Businesses are just beginning to comprehend the security implications of these environments

To tackle these security issues, many organizations adopt a security approach that addresses vulnerabilities through security policy and systems designed to protect the integrity of the IT infrastructure. This approach recognizes that the integrity of the IT infrastructure may be easily compromised by malicious attacks from external sources, but often lacks a means of addressing compromises that originate from within the organization through both intentional and inadvertent employee actions. And ironically, the very systems responsible for providing security—the firewalls, intrusion detection systems, and others—often go unmonitored.

Development of security policy

Advertisment

The process for developing a written security policy typically involves a task force with representatives from a variety of functional groups including “business” people, and not just IT, engineering and security staff. These business people – whether sales, finance or operations – ensures that the policy developed supports business practices rather than hinder them. Ultimately, the CEO and senior management endorses organizational security policy and installs adequate measures to enforce the policy and monitor at a regular interval. That means all employee of the organization becomes collectively responsible to make this policy successful. However, experts say the CIO is often the first executive to be called to task for any IT security violation, despite the fact that problems with security generally involve a number of departments.

Convergence of physical security and information security

Increasingly, as a means of reducing costs, increasing efficiencies or making better use of technology investments, organizations are integrating physical security devices for access control, monitoring and process control into the IT infrastructure. This collision of two different technology worlds, each coming from a separate management approach and protection philosophy, does not always come together easily. The differences in design, functionality, implementation, maintenance and management can present conflicts, possibly resulting in a security breach involving the IT systems, the security systems or both.

Advertisment

Security culture

Having an information security policy is not sufficient. Information security has to become second nature for employees i.e. an inherent part of the corporate culture, as natural as wearing a seatbelt in a car. “The goal is to establish and maintain an organizational culture where information security is second nature to all employees” said Deloitte’s 2005 Survey. What’s needed is a cultural change - a completely different approach. The cultural change is the realization that IT security is critical because a security failure has potentially adverse consequences for everyone. Therefore, IT security is everyone’s job.”

Lack of authority with the CIO

Companies that are on top of security information typically have given the CIO the authority and visibility to make the organization-wide decisions necessary to protect against IT security breaches. But in typical practice, a CIO with responsibility for security policy but no clout to enforce it .

Above factors clearly indicates IT security is everyone’s baby and not CIO only and enforcement of it is mainly senior managements collective responsibility.