By silicon.com, 6 September 2004 17:40
Businesses are putting their very existence in the hands of techies unqualified to tread the minefield of legal issues which are now as much a part of information security as technology.
That is the most alarming finding of a LogicaCMG-commissioned survey which found that 71 per cent of companies rely on the IT department to implement security policies.
But before you flame us, it's important to acknowledge this isn't an attack on the already overworked IT department but more a case of highlighting the problems businesses have in understanding the multi-faceted issue of security and the role it plays in the bigger picture of corporate governance.
Would you trust your lawyers with patching your network? Of course you wouldn't, so why are techies being charged with getting their heads around the complex legal and personnel issues associated with security policy-making and the implications of getting this vital process wrong?
In truth the issue is as much the role of HR and legal departments. Granted, security involves procuring technology, integrating, managing and testing it - and those are all jobs for the tech team. But technology in isolation is not a security threat. It only becomes a threat once people start using it... and techies aren't generally 'people' people. Nor should they be.
Educating staff, drafting corporate policy and ensuring governance and compliance issues are met should not be on the 'to do' list of any techie. Such a strategy will fail and when it does it will be the wrong people who take the blame.
Security does not begin and end at the server room door. The sooner that fact is realised and acted upon the sooner companies will be closer to protecting themselves and their businesses.
Comments
There is 1 comment. Join the discussion
1. John Stewart
Agreed absolutely. One of the key areas we see the IT Team being responsible for HR type roles is in Identity Management. It's often left to the IT team to decide and control who in the organisation should have access to which systems, and be responsible for issuing login ID's - whether tokens, passwords or other credentials.
These are decisions and issues that really should be in the domain of the HR administration and management team, but typically the tools are not in place to devolve these Identity Management tasks to the appropriate manager.
In our experience the techies love it when they have the ability to delegate these people and rights management responsibilities to the right people in the organisation - and the users love it too!