Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, August 28, 2006

IT execs feel the heat as security woes multiply

With security threats increasing and regulation tightening, companies are demanding greater IT accountability - and that can mean being forced to walk the plank after a breach.  AOL fired a researcher and a manager last week, and CTO Maureen Govern resigned after the Dulles, Va., company posted data on search queries made by 650,000 AOL subscribers.  Ohio University dismissed two senior IT people this month following news of five security vulnerabilities that exposed the sensitive records of 137,000 alumni.  Fallout from the Department of Veterans Affairs’ security debacle is ongoing.  The agency fired the analyst who took home a laptop containing data on 26 million veterans that was stolen when burglars broke into his home.  That doesn’t fly today. If a company is spending 5% of its IT budget on security, it expects a payoff. “The business side of the organization has learned to live with accountability and is able to talk about revenues and returns,” John Pescatore, a security analyst at Gartner says. “IT is getting dragged there, too.”

Security accountability is long overdue, says John Pescatore.  When a series of worms hit in 2001 and paralyzed businesses, IT staff threw up their hands and blamed vendors.  “Five years ago, nobody was responsible and nobody had authority,” Pescatore says.  “The business side of the organization has learned to live with accountability and is able to talk about revenues and returns,” Pescatore says.  IT managers and security managers aren’t the ones setting corporate policies, yet they’re responsible for enforcing the policies and ensuring security, he says.  All in a day’s work IT executives say their jobs are now on the line if an IT event compromises security or im­pedes business performance.

Greater accountability is a natural consequence of IT becoming more central to business operations, says Chris Majauckas, computer technology manager for Metrocorp Publications in Boston.  “Upper management is aware that it is impossible to foresee every possible negative event, but they do expect those events to be handled promptly and properly,” he says.  “The days of upper executives that aren’t IT-aware are gone,” adds Bruce Meyer, senior network engineer at ProMedica Health System in Toledo, Ohio.  The negative publicity surrounding the recent breaches has forced all IT departments “to examine how the events happened and discuss with the executive level what our exposure to the same incident would be,” says Cory Elliott, IT director at Basic Energy Services in Midland, Texas.

The Health Insur­ance Portability and Account­abil­ity Act (HIPAA) and the Sarbanes-Oxley Act (SOX) were designed to protect patient pri­vacy and im­prove financial re­porting, respectively.  The burden of providing that falls to IT - which can become a scapegoat if efforts come up short.  “Oversights, either deliberate or inadvertent, now become part of reports to audit committees and boards, who have obligations to show due diligence in responding to compromised situations,” he says.  “This may produce more pressure and require dismissals that would not necessarily occur in private companies.”  Dismissing or shuffling IT staff is often a signal to the public that punitive and preventive measures have been taken, Donnelly says.

The company’s IT department is spending more time and money on security investments such as intrusion-prevention systems, firewall, security appliances and anti­virus software.  “If you have a regulatory stick, use it,” Pescatore says.  While greater IT accountability is a good thing, it has to come with authority, Pescatore says. 

Ground your assertions in reason: “It has to be about more than just fear.”

Posted on 08/28