Information Security: Do Businesses Even Truly Care?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://midsizeinsider.com/en-us/article/information-security-do-businesses-even


As information security breaches continue to make headlines and remind
everyone of the dangers of an unprotected network, one might think that IT
security is a top priority for business executives across the board. Not
so, according to one security expert who believes that existing security
measures are woefully outdated. His opinions and the reasons behind them
should be a wake-up call for any business that handles IT security by
simply checking off boxes.

Do Businesses Care about IT Security?

"Unfortunately business doesn't care about security," said security expert
David Lacey at the CSO Perspectives Roadshow in Canberra, according to an
article in The Age. Lacey is a noted British security expert, security
futurist and author with over 25 years of experience directing security
policy at organizations such as Shell and Royal Mail.

He expands upon his point by describing business leaders as more inclined
to tick boxes to pass compliance audits than to think seriously about the
security issues that the business might have and then to work toward their
resolution. This reliance on compliance is especially troubling given how
outdated some standards are. Lacey described how he helped to create some
of the original IT security standards in ISO 27000 over two decades ago,
adding that some of those standards were outdated at the time and yet still
remain in effect to this day.

Even within the compliance structure set up today, there are still issues
getting business leaders involved. Situations can arise in which a security
audit finds a problem that should have been fixed years ago in order to be
compliant with a standard that was based on even older practices, which
results in an almost comical situation that does next to nothing to prevent
modern attacks and security breaches but rather gives business leaders the
impression that matters are under control.

Lacey articulates a point that is increasingly being brought into the
light: Businesses seem to get really serious about information security
only after something catastrophic has happened that affects the bottom
line. As detailed in a CSO article, Lacey suggested that data integrity is
now at the forefront of the battle against security lapses, claiming that
now it is where confidentiality was a decade ago.

Data theft is becoming less of an issue as the realities of what might
happen when attackers stop stealing information and start changing it come
into light. Expensive privacy and confidentiality breaches could become
crippling integrity issues as businesses find their entire data streams
compromised with information that is either inaccurate or intentionally
misleading.

Enticing Change in a Midsize Business

The concept of someone deep within the IT security world sounding alarms
about the deficiencies of modern technology security may seem self-serving,
but the basics of Lacey's thoughts should resonate with anyone tasked with
enforcing IT security at an expanding business. Getting business leaders to
agree to do more than the industry minimum and to spend resources in the
process can be like pulling teeth. Midsize businesses may be especially at
risk since it is easy for business leaders trying to maximize share within
tight markets to put security initiatives on the back burner in favor of
more revenue-generating options.

The crux of Lacey's argument is that businesses need to stop focusing on
security through conventional audits and the restriction of internal
infrastructure and have to begin to look at security issues as they arise.
This will lead to the development of real solutions that will have a
positive impact on the business. Concepts such as mobility, abstraction,
complexity and diversity are quickly gaining ground as everyday IT expands
beyond the traditional data center, and true security has to keep up with
that change instead of adhering to standards developed in a remarkably
different IT landscape.

Getting business executives to see that this change is necessary will be
difficult, especially in a midsize business with a traditionally tight IT
budget, but it does not have to happen all at once. Convincing business
leaders of the perils of data loss and poor data integrity is a good first
step. It can naturally lead to a change in audit practices in order to
focus less on ticking off boxes and more on developing strategies to
confront modern threats. For now, IT managers at midsize businesses may
have to use a combination of old and new strategies, but even keeping an
eye on emerging threats and new ways to deal with them could be enough to
prevent a new threat from bringing down the business.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.