By Jerome Thorel, 4 November 2003 16:30
NEWS The fourth European IT security conference opened in Amsterdam yesterday - with a damning indictment of CEOs who fail to understand the value and the costs of security.
While cyberterrorism and other fad-threats haven't turned out to be pose the risks which many experts had predicted, the number one source of tech threat remains inside a business itself - its staff and its internal processes, according to Arjen van Zanten of KPMG's risk management business.
He claimed there still exists a cultural barrier between IT departments and the board.
"The board of directors don't understand anything about security," he said.
Tom Scholtz, VP of research firm Meta Group, replied "but the heads of IT, and above all those in charge of security, aren't up to the job of reassuring them", in the course of a roundtable on the value of security.
Just a few years ago, IT security was considered a restriction on businesses. Like putting the brakes on a vehicle only has one result: it slows down how fast you can go. Today, luckily, it's considered as a sign of confidence and people realise that using the brakes actually helps you go to faster.
That rather convoluted metaphor comes courtesy of Art Coviello, CEO of RSA Security, speaking at the Amsterdam conference.
For RSA and other security vendors, the problem is to convince business bosses that knowing how to safely conduct business over the internet is about more than knowing how to guard against attacks or malware targeting their IT systems.
Jerome Thorel writes for ZDNet France
Comments
There is 1 comment. Join the discussion
1. anonymous
A major part of the problem is that CEOs believe that security must be customised to THEIR organisation. This includes loopholes to please a few. So they politicise security rather than protecting their asset base. Security becomes patronised - if you are in with the CEO and Board you can have security different from the masses. This was how the combitants won sieges in the Middle Ages. No problem then that this results in increased spam and totally inappropriate materials coming through the organisation. Often security breaches are blamed on IT when IT is a victim of organisational politics, user naivity and unwillingness to contibute relatively small funding to resolve the issue. Unfortunately most organisations have a security policy that does not permit discussion of the BIG ISSUEs but few policies on information governance.