A report issued yesterday by The International Information Systems Security Certification Consortium, Inc. (ISC)2 shows that IT security is a top priority among IT executives and administrators. The top concern is reputation management, as most of the companies surveyed for the study were worried about compliance issues and ending up as the lead story on the eleven ‘o clock news.
Report shows growing concern over corporate reputation. (IMG: J.Anderson)
During my RSA reports, I mentioned meeting (ISC)2, and reported that I was unable to give details of the meeting. What I talked about was this report. The relevance is easy to follow, with all the news about data leaks and personal information being lost or stolen, companies are scared out of their minds. More to the point, the C-Level executives are more worried about reputation than any other security related problem.
They have good reason to be scared. TJX lost millions of records, and in the end paid a cost of millions of dollars because of related lawsuits. Hannaford Bros. is looking at similar problems. Public trust in both cases was shaken, and while they are ok business wise, TJX never fully recovered from the security breach.
In each case, the retailers were certified under PCI-DSS. The PCI-DSS (Payment Card Industry Data Security Standard) was created to minimize credit card fraud by creating a standard set of best practices for overcoming security shortcomings. The problem is that PCI-DSS has its own problems. Both TJX and Hannaford Bros. were PCI-DSS certified, and yet both companies lost information causing a PR nightmare.
This is why it comes as no surprise to learn that C-Level executives are placing more energy into IT security and compliance. What used to be an Engineer or Administrator issue has moved into the boardroom.
“This year’s study acknowledges that effective information security programs enable businesses to grow and prosper,” said Eddie Zeitler, CISSP, executive director of (ISC)2.
“Consequently, professionals are being tasked more with the business of security, managing and consulting on its broad contribution to the business, while the administration of technical solutions is being integrated into the IT department,” he added.
The report of 7,548 INFOSEC professionals, including over 1,500 C-Level executives and security managers, as well as IT and other professionals with responsibility for information security, from companies and public sector organizations in more than one hundred countries, shows exactly how IT security is shifting.
“Information security is moving beyond the perimeter and becoming more data-focused, protecting data both at rest and in transit, with wireless security solutions, cryptography, storage security, and biometrics represented in the top five technologies being deployed,” the report says.
It goes on to point out that, “Users following information security policy was identified as the most important factor in a security professional’s ability to protect the organization. In addition, fifty-one percent of respondents identified internal employees as the biggest threat to their organizations.”
Insiders pose a severe risk, most of the technology I saw at RSA in one degree or another protected a company from internal threats. A recent example would be the issue that took place at LendingTree, where employees handed over credentials to outsiders. In addition, the compliance worry is not limited to just PCI-DSS. Other compliance issues, such as GLBA, HIPAA, and SOX, are getting just as much attention in corporate IT.
The results of the report show a clear trend, executives are willing to spend more on training and services to maintain security.
To download a copy of the study, go to www.isc2.org/workforcestudy
There are currently no comments for this article. Be the first to comment!
Advertising
There are currently no comments for this article. Be the first to comment!