UK companies now widely accept that IT security is not just an IT problem – it is a key strategic business issue. What they have yet to agree on are the business policies that need to be deployed to address that issue.
The need for companies to treat IT security as more than merely a technical problem is clearly supported by the views of many of the delegates at Information Age’s recent Enterprise Security 2006 Conference. Asked to rate their support for the statement, “The executive management of my organisation fully recognises the importance of IT security and have funded and prioritised it accordingly”, 56% of delegates said that they “strongly” or “very strongly” agreed. Only 7% disagreed “very strongly” with this statement, suggesting that, with few exceptions, IT security is now on the boardroom agendas of UK companies.
However, there appears to be far less consensus around how this board-level commitment to IT security should be translated into strong and effective policies for protecting corporate IT systems and data assets. By far the most widely supported strategies are those that put people rather than technology at the centre of IT security policy. Around a third of delegates agreed “strongly” and half “very strongly” with the statement, “The creation of a robust internal IT security culture …. is a better defence than any technological solution.”
This widespread support for people-oriented IT security policies may stem from the almost equally widespread mistrust of technology-based solutions. The view that “traditional perimeter-based (firewall) IT security technologies do not offer a long-term solution to corporate IT security” drew “very strong” and “strong” agreement from 18% and 44% of delegates, respectively.
The proposition that “the introduction of a national ID card scheme would be a boon to my organisation’s IT security” was even less popular. Just 8% delegates offered “strong” or “very strong” support for this statement and the view that it should be “treated as an urgent priority by government,” whereas 38% expressed “very strong” disagreement.
No other technology-based IT security solution was treated with such clear mistrust as the national ID card scheme, but neither were any others offered unequivocal support. Backing for corporate user ID management, for instance, was lacklustre. Although a third of delegates “agreed” with the view that ID management “is becoming paramount in the fight against crime and the need for good corporate governance”, about the same number took a more negative and opposing view.
Similarly, the delegates were split down the middle over federation of identity. Support for the statement, “The need to share corporate identities across organisations, with subsidiaries, partners and the government, has become critical to customer satisfaction and regulatory requirements”, produced broad agreement from 54%, but also drew “very strong” and “strong” disagreement from 46%. The so-called ‘federated wave’ that some vendors are predicting may still be on the horizon, but it is no tsunami.
Although the case for IT security is now more compelling than ever, and although more organisations are devoting more resources than ever before to meeting its challenges, there is clearly much that still needs to be done – especially when it comes to establishing an IT security culture within the organisation. Despite the strong support for internally propagating high awareness of security issues, only a third of delegates indicated that their organisations have yet made efforts to do so, and only 11% claim to have already established that kind of security-minded thinking.
Enterprise Security 2006: The delegates' perspective
On the whole, delegates feel they are getting the kind of suport they need from senior management for IT security.
Delegates largely agree that a focus on people rather than technology is the way to achieve stronger security.
Most delegates feel they still have some way to go in establishing security-conscious culture.
Most delegates indicated that they want to progressively move away from perimeter-based security.