Battling the Information Security Paradox

Updated: June 22, 2010

According to an article in InformationWeek, "more than half of Fortune 1000 companies lack a full-time chief information security officer, only 38% have a chief security officer, and just 20% have a chief privacy officer. As a result, a majority of companies are failing to adequately assess and manage the risks that information security and privacy issues pose to their business," as quoted from Cylab's Governance of Enterprise Security study for 2010.

With the seemingly exponential increase in threats that range from criminal enterprise to mischievous script-kiddies, combined with insider threats amplified by a struggling economy and an increase in regulatory compliance demands, one has to wonder why information security is not being given proper credence.

"According to the report's author, Jody Westby, who's CEO of Global Cyber Risk and a distinguished fellow at CyLab, "the survey results indicate that boards and senior executives need to be more actively involved in the governance of the privacy and security of their computer systems and data."

Yes, but a willing detachment from the complex legal issues, highly technical and often jargon-laden nuts and bolts of data security initiatives is probably only one of many causes of boardroom malaise.

Some of the blame also rests with the Information Security Paradox, in which the performance of security efforts is often inversely proportional to the health of the budget for such endeavors.

That is to say, the better job one does preventing major information security events from occurring, the harder it is for one to justify a budget, let alone an increase to said budget.

It is not that the boardroom does not understand risk - they live and breathe risk on a daily basis. What the boardroom does not understand is mitigation of risk when it comes to information technology.

The lack of a serious security event simply reinforces their instinctual notion that risk associated with information systems can be controlled, not just mitigated, and that controlling "costs" is paramount when it comes to non-revenue generating expenditures (otherwise known to IT and compliance departments as "resources").

What the boardroom needs to understand from past experience is that sometimes their data was safe only because they had a first-rate security team with lots of support from management, and sometimes their data was safe simply because no one tried hard enough to get it.

And what about when someone does decide to really try?

It is probably safe to assume the 60% of the Fortune 1000 companies surveyed who do not have a CSO or equivalent probably have never experienced a serious data loss event - or they still don't realize one has taken place.

(Un)fortunately, another aspect of the Information Security Paradox is that nothing provokes a sharp budget increase like a really expensive, publically embarrassing, and professionally damaging information security event.

Related Categories
Featured Research
  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more