Business executives outside of IT are well aware of the dangers posed to the enterprise from hackers, virus writers and other distributors of ‘malware' – but getting them to see IT security as a priority investment remains a major challenge.
That was the verdict of delegates at the latest Information Age executive lunch, the monthly gathering where senior IT executives can share their experience and views on strategic issues. The April roundtable, sponsored by IT security company VeriSign and run, as always, under the Chatham House rules so delegates can speak candidly without having their comments attributed, was dominated by on-going anxiety over IT security. All the delegates highlighted pressing threats within their organisations, but they demonstrated a wide diversity of views on how to tackle these.
At one extreme, the head of IT security policy at one large government department described how his organisation had come to the conclusion that security threats were impossible to counter: "For our most important systems – our Crown Jewels – we simply won't connect to the Internet. The only way we can guarantee security is to put 10 feet of carpet between us and the Internet."
The majority of organisations have a less dramatic approach, though all expressed a need to constantly re-invest in security enhancements. "My board thinks that because we've not had a problem recently, that makes a good reason for us to invest less, not more," explained the IT security manager of a multinational media organisation.
One successful method of encouraging investment in IT security was to paint the picture in terms the board understands, said the head of IT at a large transport company. "The IT department has to present them with a risk assessment," he said. "Make them understand the impact of not investing."
But even where there was executive level buy-in, IT management still faces some tough choices when it comes to security. "Our perimeter security is pretty well developed. The big issue for us is that a lot of our commercial partners have access to our systems," said an IT director at a large retailer. "We're shifting our focus to building a fortress within our business estate."
But, as ever, good security is about more than just technology. Improving internal security depends on organisations raising user awareness and changing behaviour – something that again requires investment. Quality standards, such as BS7799 are helpful in providing a structure for managing security threats, but few organisations go as far as to seek accreditation at that level, said the IT manager at a UK-based financial services company. "It just isn't seen as addressing business issues," he said.