BreachExchange mailing list archives
Information Security: Do Businesses Even Truly Care?
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 20 Nov 2013 01:28:13 -0700
http://midsizeinsider.com/en-us/article/information-security-do-businesses-even As information security breaches continue to make headlines and remind everyone of the dangers of an unprotected network, one might think that IT security is a top priority for business executives across the board. Not so, according to one security expert who believes that existing security measures are woefully outdated. His opinions and the reasons behind them should be a wake-up call for any business that handles IT security by simply checking off boxes. Do Businesses Care about IT Security? "Unfortunately business doesn't care about security," said security expert David Lacey at the CSO Perspectives Roadshow in Canberra, according to an article in The Age. Lacey is a noted British security expert, security futurist and author with over 25 years of experience directing security policy at organizations such as Shell and Royal Mail. He expands upon his point by describing business leaders as more inclined to tick boxes to pass compliance audits than to think seriously about the security issues that the business might have and then to work toward their resolution. This reliance on compliance is especially troubling given how outdated some standards are. Lacey described how he helped to create some of the original IT security standards in ISO 27000 over two decades ago, adding that some of those standards were outdated at the time and yet still remain in effect to this day. Even within the compliance structure set up today, there are still issues getting business leaders involved. Situations can arise in which a security audit finds a problem that should have been fixed years ago in order to be compliant with a standard that was based on even older practices, which results in an almost comical situation that does next to nothing to prevent modern attacks and security breaches but rather gives business leaders the impression that matters are under control. Lacey articulates a point that is increasingly being brought into the light: Businesses seem to get really serious about information security only after something catastrophic has happened that affects the bottom line. As detailed in a CSO article, Lacey suggested that data integrity is now at the forefront of the battle against security lapses, claiming that now it is where confidentiality was a decade ago. Data theft is becoming less of an issue as the realities of what might happen when attackers stop stealing information and start changing it come into light. Expensive privacy and confidentiality breaches could become crippling integrity issues as businesses find their entire data streams compromised with information that is either inaccurate or intentionally misleading. Enticing Change in a Midsize Business The concept of someone deep within the IT security world sounding alarms about the deficiencies of modern technology security may seem self-serving, but the basics of Lacey's thoughts should resonate with anyone tasked with enforcing IT security at an expanding business. Getting business leaders to agree to do more than the industry minimum and to spend resources in the process can be like pulling teeth. Midsize businesses may be especially at risk since it is easy for business leaders trying to maximize share within tight markets to put security initiatives on the back burner in favor of more revenue-generating options. The crux of Lacey's argument is that businesses need to stop focusing on security through conventional audits and the restriction of internal infrastructure and have to begin to look at security issues as they arise. This will lead to the development of real solutions that will have a positive impact on the business. Concepts such as mobility, abstraction, complexity and diversity are quickly gaining ground as everyday IT expands beyond the traditional data center, and true security has to keep up with that change instead of adhering to standards developed in a remarkably different IT landscape. Getting business executives to see that this change is necessary will be difficult, especially in a midsize business with a traditionally tight IT budget, but it does not have to happen all at once. Convincing business leaders of the perils of data loss and poor data integrity is a good first step. It can naturally lead to a change in audit practices in order to focus less on ticking off boxes and more on developing strategies to confront modern threats. For now, IT managers at midsize businesses may have to use a combination of old and new strategies, but even keeping an eye on emerging threats and new ways to deal with them could be enough to prevent a new threat from bringing down the business.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: # OWASP http://www.appsecusa.org # Builders, Breakers and Defenders # Time Square, NYC 20-21 Nov o()xxxx[{::::::::::::::::::::::::::::::::::::::::> Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- Information Security: Do Businesses Even Truly Care? Audrey McNeil (Nov 25)