What an Increase in Security Planning Might Mean for CSOs

The coming years promise an increase in security planning to support strategic business planning. Will it be a CSO's dream come true or one big nightmare?

By Anonymous

December 01, 2003 — CSO — What's keeping you awake at night these days? Sharing such security concerns with one another is nothing new. And we mostly do it for good reasons: It's one part learning, one part giving back, and one part enlightened self-interest. The idea is that your problems today will likely be my problems tomorrow, especially if we're in the same business sector.

So I think I keep a fairly good handle on what is in front of us as CSOs, but I'm always struck by the insights of my fellow security colleagues when I ask them about their concerns. I hear a lot about balanceor, more specifically, imbalance. I hear about more risk, less resources. More to do, less to do it with. More regulations, higher expectations.... Well, you get the picture.

"The risk landscape is hugely visible, perhaps the highest it has been in my 25 years in the business," says one security exec. Terrorism now dominates the public mind-set and creates the mistaken impression that it is a much greater threat than anything else. We need to strike the right balance between our biggest worriespeople and process integrity, workplace violence, fraud, product tampering, counterfeitingand terrorism.

Yet there's an interesting dichotomy to the continuing impact of 9/11. The tragedy in September 2001 caused attention to security risks as part of the critical infrastructure to dramatically increase. But since then much of the focus on safety and security has waned, and fears seem to be inversely proportional to the length of time since the last incident. "All this DHS color crap has everyone totally turned off," is how another friend puts it.

I can't imagine a company that doesn't have security somewhere on its radar these days, if for no other reason than the daily threat of malicious and criminal attacks on our networks. Thanks to the insecurity Microsoft has brought to our IT world, most companies have had to get good at virus and patch management. A backhanded plus, I guess.

Another plus is that network management is getting more attention. That said, remote access capabilities such as virtual private networks continue to keep our IT security friends tossing and turning.

We've all watched the cyber side of our businesses get increasingly more insidious. "Keeping a strong enough control environment on every device is very hard and very costly," says a CISO colleague of mine. "As a result, many people are coming to the conclusion that we need to use gateway technology internally to create partitioned networks within the enterprise's wide area network to either protect the contents from higher risk outside the corporation or to wall off high-risk activities from the rest of the enterprise WAN," he says. "We're doing better at defending against the worm and virus attacks, but it's costly." The Cost of Doing BusinessMeanwhile, the concern for cost management is universalit continues to put pressure on all but the most immediate risk-oriented security budgets. The struggle seems more and more like a permanent fixture rather than a wait-until-things-improve business focus. Most of us believe that the cost pressures are here to stay. Thus, we need to recognize that security is part of the cost of doing business and get smarter about our management of scarce resources.

• Print