Battling the Information Security Paradox

Updated: June 22, 2010

According to an article in InformationWeek, "more than half of Fortune 1000 companies lack a full-time chief information security officer, only 38% have a chief security officer, and just 20% have a chief privacy officer. As a result, a majority of companies are failing to adequately assess and manage the risks that information security and privacy issues pose to their business," as quoted from Cylab's Governance of Enterprise Security study for 2010.

With the seemingly exponential increase in threats that range from criminal enterprise to mischievous script-kiddies, combined with insider threats amplified by a struggling economy and an increase in regulatory compliance demands, one has to wonder why information security is not being given proper credence.

"According to the report's author, Jody Westby, who's CEO of Global Cyber Risk and a distinguished fellow at CyLab, "the survey results indicate that boards and senior executives need to be more actively involved in the governance of the privacy and security of their computer systems and data."

Yes, but a willing detachment from the complex legal issues, highly technical and often jargon-laden nuts and bolts of data security initiatives is probably only one of many causes of boardroom malaise.

Some of the blame also rests with the Information Security Paradox, in which the performance of security efforts is often inversely proportional to the health of the budget for such endeavors.

That is to say, the better job one does preventing major information security events from occurring, the harder it is for one to justify a budget, let alone an increase to said budget.

It is not that the boardroom does not understand risk - they live and breathe risk on a daily basis. What the boardroom does not understand is mitigation of risk when it comes to information technology.

The lack of a serious security event simply reinforces their instinctual notion that risk associated with information systems can be controlled, not just mitigated, and that controlling "costs" is paramount when it comes to non-revenue generating expenditures (otherwise known to IT and compliance departments as "resources").

What the boardroom needs to understand from past experience is that sometimes their data was safe only because they had a first-rate security team with lots of support from management, and sometimes their data was safe simply because no one tried hard enough to get it.

And what about when someone does decide to really try?

It is probably safe to assume the 60% of the Fortune 1000 companies surveyed who do not have a CSO or equivalent probably have never experienced a serious data loss event - or they still don't realize one has taken place.

(Un)fortunately, another aspect of the Information Security Paradox is that nothing provokes a sharp budget increase like a really expensive, publically embarrassing, and professionally damaging information security event.

Featured Research