Best Practices: The 2004 Global Information Security Survey

By Scott Berinato

Page 6

The governance data couldn't be more optimistic. Then again, it could be misleading.

Many information security executives are finding that even if their title is C-level, their job isn't. They are prominent on org charts but buried in terms of influence, lacking budget, staff or authority. One former CISO called it the "paper tiger" syndrome. Another said companies were hiring "firewall jockeys" in order to fulfill compliance requirements. This is governance by appearance.

"I am often referred to as the CSO or CISO, but I report to a manager, who reports to a director, who reports to a senior director of operations, who finally reports to the CIO," says the head of security at a large health-care institution. "They say, Now keep the bad guys out, but we're not going to let you enforce any rules to do so."

So while the numbers appear encouraging, we can't say for sure how much they reflect a real commitment to security governance.

What We Think

Fight the good fight. Make your case for moving information security outside of IT. The Best Practices Group has already done so.

It won't be easy. Dave Kent, CSO of biotech company Genzyme, compares the process of the security function changing corporate culture to "the ugly little tugboat that turns the Queen Mary."

But you have to do it. Otherwise, you may end up like the CISO at the health-care institution, who says, "I have no power. I am the person waiting to take the fall."

V. Why the Fed Makes a Poor CISO

The government has taken on information security. It has sought to influence security practices through regulationthe Sarbanes-Oxley Act, Health Insurance Portability and Accountability Act, and othersand the Department of Homeland Security's color-coding system, which defines how private-sector security professionals should respond to a given level of risk. But the "2004 Global Information Security Survey" indicated that either the regulations were poorly conceived or written, or that our respondents had a slovenly attitude toward compliance. Or both.

In any case, something's gone awry. (See "What Do You Do When We Go to Orange?" this page.)

Behind the Numbers

For those who theorize that regulation and government involvement will improve information security, these numbers should prove unnerving. Regulation has yet to drive companies toward better security or have much impact on their practices.

Only half of all U.S. respondents claimed to be in compliance with HIPAA, and 41 percent reported that they comply with Sarbanes-Oxley. Of course, not every respondent needs to comply with HIPAA. But if we look at those industries that dohealth care, pharmaceutical, and biotech at 71 percent, 45 percent and 40 percent compliance, respectivelythe story doesn't change that much.