Best Practices: The 2004 Global Information Security Survey

Best Practices: The 2004 Global Information Security Survey

1 2 Page 2
Page 2 of 2

Most positive of all: In last year's report, we advocated for removing information security "from the purview of the IT department"and that's happening. The fact that risk management, audit and legal have made inroads in influencing security, while IT's influence dissipates, suggests that executives have started to buy in to the idea that security should be a check on IT, not beholden to it.

The governance data couldn't be more optimistic. Then again, it could be misleading.

Many information security executives are finding that even if their title is C-level, their job isn't. They are prominent on org charts but buried in terms of influence, lacking budget, staff or authority. One former CISO called it the "paper tiger" syndrome. Another said companies were hiring "firewall jockeys" in order to fulfill compliance requirements. This is governance by appearance.

"I am often referred to as the CSO or CISO, but I report to a manager, who reports to a director, who reports to a senior director of operations, who finally reports to the CIO," says the head of security at a large health-care institution. "They say, Now keep the bad guys out, but we're not going to let you enforce any rules to do so."

So while the numbers appear encouraging, we can't say for sure how much they reflect a real commitment to security governance.

What We Think

Fight the good fight. Make your case for moving information security outside of IT. The Best Practices Group has already done so.

It won't be easy. Dave Kent, CSO of biotech company Genzyme, compares the process of the security function changing corporate culture to "the ugly little tugboat that turns the Queen Mary."

But you have to do it. Otherwise, you may end up like the CISO at the health-care institution, who says, "I have no power. I am the person waiting to take the fall."

V. Why the Fed Makes a Poor CISO

The government has taken on information security. It has sought to influence security practices through regulationthe Sarbanes-Oxley Act, Health Insurance Portability and Accountability Act, and othersand the Department of Homeland Security's color-coding system, which defines how private-sector security professionals should respond to a given level of risk. But the "2004 Global Information Security Survey" indicated that either the regulations were poorly conceived or written, or that our respondents had a slovenly attitude toward compliance. Or both.

In any case, something's gone awry. (See "What Do You Do When We Go to Orange?" this page.)

Behind the Numbers

For those who theorize that regulation and government involvement will improve information security, these numbers should prove unnerving. Regulation has yet to drive companies toward better security or have much impact on their practices.

Only half of all U.S. respondents claimed to be in compliance with HIPAA, and 41 percent reported that they comply with Sarbanes-Oxley. Of course, not every respondent needs to comply with HIPAA. But if we look at those industries that dohealth care, pharmaceutical, and biotech at 71 percent, 45 percent and 40 percent compliance, respectivelythe story doesn't change that much.

Security professionals are dubious of both current and potential future regulation. "No regulation is preferable to bad regulation," says the CISO of a major electronics company. "On the other hand, if we don't regulate, we're heading to a bad event with critical infrastructure, and then you'll end up with regulation passed in reaction to the bad event. It would be the worst of both worlds."

That bad event is what DHS's color-coding seeks to avoid. The government's threat-level reporting is widely believed to be for the public but, in fact, it was meant to alert first responders in the private sector to guide them in their protection of the critical infrastructure. When DHS Secretary Tom Ridge introduced the system in 2002, he said, "We anticipate and hope that businesses and hospitals and schools...will develop their own protective measures for each threat condition."

That hasn't happened.

Only one in 10 respondents reacts to homeland security alerts, and again, the breakdown by industry serves to reinforce that point. Of the six industries that had the highest number of respondents who reported that, yes, they changed their activities when DHS changes color levelsenergy/utilities (30 percent), government (25 percent), aerospace (14 percent), hospitality (14 percent), construction/engineering (12 percent) and financial (11 percent)none reached even one-third.

No other industry reached 10 percent answering yes. And eight industries, including agriculture and electronics, had zero respondents who changed their practices according to the threat level.

"What can we do with a nonspecific threat?" a CISO asks rhetorically. "If it were, say, an orange alert for the supply chain, then we could take specific actions. Otherwise, we can't be moving resources around without knowing why we're doing it."

What We Think

Regulations don't create security; people create security. At the same time, regulation has a purpose. Even Scott Charney, CSO of Microsoft, believes that well-crafted regulations (he used to write them when he worked for the Justice Department) can have a positive effect on information security.

"The key is they have to be written well, and that's not easy to do," Charney says. "Passing a regulation that says 'Thou shalt be safe' isn't useful."

Right now, the color-coded alert system does not identify the specific threats that the infrastructure faces, nor does it guide the actions of information security professionals. Until DHS and industry leaders, in a combined effort, can define what's supposed to happen when the light goes from yellow to orange, the threat-level warning system can only produce agitation, not information.

"The Game's Afoot"

The data from the "2004 Global Information Security Survey" shows movement in the right direction. Happily, you've evolved, and information security practices are slowly improving.

Unhappily, the threat environment is also evolving. Just as you've started to gain ground in the virus battles, spam, malicious code and confidence tricks are being designed to far more destructive ends (including extortion and theft) than simple network downtime. Phishing was so limited last year that we didn't even ask about it. This year, 13 percent of respondents said they were affected by it. Scams already exist that can trick you into installing software that hides until you start banking online, at which point it wakes up and logs your keystrokes

Yes, you're managing the viruses and other security nuisances better. But, the information infrastructure is no longer the target; it's just the path used to get to far more profitable targets. Perhaps this is why the "not at all confident" group of respondents ticked up from 10 percent last year to 14 percent this year.

Yes, information security improved in 2004, but this is no time to celebrate. You must continue to evolve. Ever more sophisticated Dr. Moriarities are out there, lurking. For them, and for you, the game's afoot.

Copyright © 2004 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)