The State of Corporate IT Security
Data breaches and hackers compromising sensitive IT systems, seem to be an almost daily occurrence to anyone opening a newspaper. Of course, these are just the security incidents being made public. We have reached a point where, unless tens of millions of customers have their confidential information leaked all over the internet, those of us following the sector barely raise an eyebrow. Another high profile CEO steps down, a large corporation pays a fine, and politicians discuss new toothless measures to protect the interests of their voters. And yet the cycle continues unabated. Rinse and repeat.
Thankfully security is finally a board level issue. With responsibility trickling upwards, this was really just a matter of time. Today’s board members are more likely to write their own emails, place their own phone calls, and pull out a laptop during meetings, than those that came before them only very recently, and large corporations now find themselves in both a state of awareness, and one of panic and either inaction or misdirected effort. Without solid foundations and ingrained corporate habits to build on, the best they can do is respond and hope. But there is perhaps reason to hope.
Lessons From the Financial Crisis
Out of the financial crisis and near collapse of the global banking system in the 2000s came an intense pressure and focus on stricter regulations and organizational compliance with them. This nearly catastrophic event saw the rise of the Chief Compliance Officer – a modern day knight in shining armor charged with bringing order to the chaos and removing risk from the balance sheet. This very necessary, and often challenging role, has been the saving grace of the financial industry, who have in many cases bounced back to record profits, while remaining in compliance with ever stricter regulations. The lessons here for the world of security are clear.
Does the security sector require its own version of the financial crisis, if it is to achieve the profile and importance necessary for board-level action, rather than reaction? Some would argue strongly that we are in the very midst of that catastrophe, with daily breaches being reported on, cases of international and domestic espionage being uncovered, and corporate and personal privacy being torn apart. One thing that is universally agreed upon is that, no matter how bad things may appear today, they will get worse before they get better (and indeed, some may argue that ever “getting better” again is merely wishful thinking).
The Rise of the Chief Security Officer
So, in the midst of this crisis, how do we move forward? We lead from the front. Boards, CEOs and Managing Directors need to acknowledge responsibility and attribute importance to the issue. And then they need to take proactive action. The success of the Compliance Officer role needs to be replicated with security needs in mind. Chief Security Officers needs to take their place alongside Chief Information Officers, reporting directly to the CEO, and with accountability to the board.
There have always been skilled and able security professionals buried within the hierarchies of corporate IT departments, fighting fires, playing ‘Whac-a-Mole’ and generally stretching their limited resources to breaking point in an effort to stem the growing tide of security threats. Their time has come. In addition, corporate policies need to be unearthed, made consistent and applied universally across the organisation. Industry best practices need to be monitored, understood and implemented, and governmental regulations have to be adhered to. This applies to each and every internal IT project as well as to the entire supplier ecosystem. This is no small order. It will require ongoing and effective compliance with ever changing security policy, best practice and regulation. And that’s just for starters.