Tuesday, April 13, 2010

(IT) Security and the CIO

Last month, many CIOs (including me) were subject to a barrage of security events—as if the world suddenly needed a lot more protection than it had in the past! CEOs, senior vice presidents and thought leaders suddenly seem to have descended upon the CIO, challenging the security postures of enterprises.

Questions challenging the efficacy of currently deployed solutions were very similar across almost all vendors. Many data points from a multitude of surveys were bandied around in an attempt to make CIOs succumb to the FUD (fear, uncertainty, and doubt) factor.

A typical session begins with “Top 5 technology priorities”, and since the presentation was being made by security vendors, IT security figured prominently in these lists. To the hapless CIO, statistics reveal a scary world full of crackers and nefarious elements (who want to take away customer data, send spam, phish users, attack end computing devices, and sniff network traffic). It did not matter if the audience agrees with these or not. Irrespective of whether the displayed data is from the same geography or industry, the ground is set for discourses on why your enterprise is not secure if it hasn’t deployed the specific vendors’ solutions.

Almost all cases are built upon the premise that data is only stored electronically, and leakage can only happen in electronic forms. The exercise of data classification is touted as the starting point—except that beyond a point, this classification becomes irrelevant, as the imposed controls make conducting business a painful task. Mobile workers appear as the villains who will lose a laptop or connect to unsecured wireless networks compromising valuable data.

Yet another cry is a ban on social media. This does not acknowledge the fact that business also uses these channels for connecting with customers. The mantra is “you cannot trust these gullible ignorant employees, they are the weakest link”.

Yes, people are indeed the weakest link in security compromises; but they can also be the strongest. The biggest tenet of any business operation is trust. If the enterprise cannot trust its employees to be prudent in their usage of various communication modes or protect the data that matters, then I don’t believe that a technology solution is the answer.

Information security can be effective with help of education, continuous reinforcement by the management, a “zero tolerance” policy towards adverse incidents, periodic reviews, and finally the technology stack which is dependent on the business operations. Exception management is fraught with danger, and should be aggressively discouraged. Many mature organizations have found that making an example of truant employees enhances levels of security, and builds trust with customers in the long run. Attempts to hush such cases, or not taking strict action which may already be defined in the policy sends a message of tolerance, which can significantly compromise the enterprise.

Vendors need to listen as they engage (see Irrelevance of vendor presentations) the CIO in discussions on how they can help their customers in sustaining and improving their information security postures. This has to be based on an assessment, and not based on inane survey data that may be far removed from reality for the audience. Else, they face the risk of alienation from their prime customer, the CIO.

No comments:

Post a Comment