Driving Change in Corporate Information Security

CIOs need to overcoming a prevailing view that information security is something that only information technology does.

. What's this?

By No Analyst or Consultant

June 06, 2005CSOby Hans Brechbühl and Scott Dynes

Information security today is much like quality was twenty years ago: bolted-on, not built-in, viewed as an inhibitor of operations, and residing in a special department. If information security efforts are to be successful at a corporate (and national) level, this must change. This was one of the key conclusions reached at a working summit of corporate executives hosted at the Tuck School of Business at Dartmouth.

It was quite clear that within most participants organizations there is a prevailing view that information security is something that information technology (IT) "does." For everyone else in the organization, information security just "happens" to them  their involvement is passive. This feeling is found at all levels in the corporation today, from the boardroom on down. It is only within the core IT function of the company that information security seems to be integrated into the daily work routine.

The phenomenon is similar with customers. Ken Rathgeber, EVP and Head of Risk Oversight for Fidelity M&R, described customers' attitudes towards information security: ...I think the general consumer out there believes that they are protected from [security incidents such as identity theft] and we will assume the responsibility and the liability of making them whole. As Hillary Gal, of Citigroup, made clear: &customers have to understand they have to take some responsibility. Customers do not have a good understanding that what they do matters in terms of security. Rathgeber related how Fidelity will begin informing clients that if they havent installed a certain level of Web browser on their computers, they won't get access to Fidelitys secure website.

Educational and cultural change efforts were identified as important themes in driving information security responsibility throughout the organization. Though board and customer education were seen as important, most of the education and awareness efforts discussed were directed towards corporate employees and extended enterprise partners. One important component encompassed developing skills and capabilities and establishing a more rigorous, coordinated approach to information security. Other elements focused on building awareness of individual and collective responsibilities, getting people to move from observing information security in a passive role to addressing it as an active player on the corporate information security team with an understanding of their role. A developing best practice is to tie information security to some aspect of corporate culture that is already well understood.

The educational challenges are not likely to go away quickly. One of the reasons is that the younger generations have very different attitudes towards computing ubiquity and such aspects of information security as password sharing and file swapping. Efforts are now being made to address this through ethics and security discussions in educational institutions.

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER