Best Practices: The 2004 Global Information Security Survey

By Scott Berinato

Page 5

So, they fall into the gap.

What We Think

Develop an enterprisewide strategic security plan. Why? It will make it easier to attack the security problem in an organized fashion rather than responding to the shifting winds of crisis and need.

In order to develop such a broad plan, though, you need to do audits, penetration tests and risk assessments. And only about one in four respondents did these during the past year. Of course they weren't meeting their priorities. Without a plan, they may not even have remembered what their priorities were.

The Best Practices Group did not suffer a priority gap nearly as wide as the average respondent. In eight categories (out of 30), the Best Practices Group's 2004 implementation numbers equaled or surpassed their 2003 plans. Among those eight categories were: obtaining top management buy-in, integrating physical and information security, and, yes, developing an enterprisewide security strategy.

This stuff is basic. The only way to bridge the gap is to start doing it on an ongoing, regularly scheduled basis.

IV. Kicking the Fox out of the Henhouse

When a business need (for example, maximizing revenue on an e-commerce site) conflicts with a security need (for example, installing the complex passwords that will make the site secure but may also discourage customers), and it's IT's job to enable the business while securing the technology, security generally suffers. This is the proverbial fox-in-the-henhouse problem. Therefore, an emerging best practice is to give the fox a new house, away from the hens. (See "Bye-Bye Fox," this page.)

Behind the Numbers

Security is getting a big dose of governance. Last year, only 15 percent of respondents said they'd created a CSO or CISO position; that leaped to 31 percent this year. What's more: The implementation of centralized security management systems nearly quadrupled year over year, from 11 percent to 39 percent.

All of that means that security received both more attention and less skepticism from other executives. And, indeed, the lack of executive buy-in, which CSOs cited as a barrier to good security, dropped from 27 percent in 2003 to 20 percent this year.

Most positive of all: In last year's report, we advocated for removing information security "from the purview of the IT department"and that's happening. The fact that risk management, audit and legal have made inroads in influencing security, while IT's influence dissipates, suggests that executives have started to buy in to the idea that security should be a check on IT, not beholden to it.