Why Security Needs More Joe The Plumbers, Fewer Geeks

BOSTON – Companies continue to leave too much of their security apparatus in the hands of geeks in the IT department and not enough in the hands of the wider workforce. Until that changes, enterprises will continue to have gaping holes in their data defenses.

That’s one of the main messages from a panel discussion on the 2008 Global State of Security Survey, held at the offices of PricewaterhouseCoopers in Boston Tuesday. CSO and PricewaterhouseCoopers recently released the results of the survey, where 7,097 business and technology executives worldwide shared their security troubles. This is the sixth year in which CSO and PricewaterhouseCoopers teamed up for the survey.

Though security has improved significantly in some areas — especially among companies in India, China and South America — too many enterprises continue to view security as a task best left to the IT shop. As a result, security efforts are too focused on putting out fires and stewing over network logs and not enough on big-picture strategizing and better awareness among the larger workforce, according to CSO Publisher Bob Bragdon, who spoke at length during the event.

“When we compared last year’s survey results to this year’s results, we found that the people and priorities part of security still isn’t growing as much as tech spending,” Bragdon said. “If you don’t focus on people and process, you’re not going to get the full value out of your technology.”

If a company can’t get out of the weeds, it can’t approach security strategically, he added.

Sharing that viewpoint was Gerard Verweij, a principal at PricewaterhouseCoopers, who at one point deadpanned that “a fool with a tool is still a fool.” Verweij noted that information is the new business currency and securing it must be about more than meeting a compliance checklist.

“What stunned us a bit after seeing the results was that so many CISOs continue to see their positions as mostly a compliance function,” he said.

On the positive side, the survey showed that companies are buying and applying such technological tools as software for intrusion detection, encryption and identity management at record levels. The down side is that too many organizations still lack coherent, enforced and forward-thinking security processes. While 59 percent of respondents said they have an “overall information security strategy,” that’s up just two points from last year’s survey – too little, Verweij and others at PriceWaterhouse Coopers said.

Elsewhere, 56 percent of respondents said they employ a security executive at the C level, down 4 percent from last year. Respondents also noted they comb network logs for fishy activity, but only 43 percent said they audit or monitor user compliance with their security policies. This is up 6 percent from 2007, but still “not where we need to be,” PriceWaterhouseCoopers Principal Mark Lobel said in an earlier interview.

The survey results also showed other countries making security gains, even exceeding gains made in the U.S. Companies in India are now outpacing security efforts in U.S. companies, and enterprises in China and South America are making headway. Progress has stalled in Europe, however.

South American businesses must prove to North American companies that they’re doing what they can to protect data, Verweij said.

Asked to identify trends that are headed in the right direction, James Mignone, CISO at Citizens Financial Group and RBS Americas, noted that upper management is coming around to the notion that security is a business enabler, not a necessary evil.

“The tagline is that we’re making RBS the safest place to do business,” he said. “Senior management has signed off on that and we have more support than ever for a full-blown strategy.”

Now, Mignone said, companies need to remove the geek image of security from the public mind. “The information security group is often seen as the cool tool guys, and nobody knows exactly what they do,” he said. “You need to show how you are using technology to mitigate risk, and you need more than geeks to pull it off.”

To move beyond that reputation, he said much more time, energy and money must be spent on programs to make the larger workforce more security savvy.

Asked where they would deploy new security specialists if they were hired, Mignone said he’d focus them on risk assessment and metrics, which “right now is a weak spot.” Bragdon said, “I agree, but would also add training to it, educating the masses on security.”