IT security policies too fragmented

UK organisations are wide open to network breaches because responsibility for security is still too fragmented.

IT services company Synstar said that the role of chief security officer (CSO) is key to ensuring that the subject is taken seriously, and that policies are put into practice rather than stuck on the shelf and ignored.

Jason Hart, head of security at Synstar, told vnunet.com: "It's always the IT department pushing security to the business, but it's a bigger issue than just IT security.

"It's a business issue. A lot of boards don't understand why someone would want to hack into their systems. They don't realise the potential effect on their share price or reputation, for example.

The CSO role demands an understanding of technical, business integrity and availability issues, as well as the financial and operational impact of a security breach.

"You need someone who's been exposed to all areas of the business, can take the message to the board and be an interface to all parts of the business," said Hart.

He added that companies also need to view internal security threats in the same light as external ones.

Research from the Department of Trade and Industry published in April found that 60 per cent of security breaches are internal.

And, while interest in the BS7799 framework for implementing security policy is gaining momentum, Hart warned that it isn't enough to safeguard a business.

"It's a fantastic starting point, but it's only a framework and you need to add a lot more to it. Unless it's managed, it won't solve your problems. People tend to put it on the shelf until it's time for their next audit."

Fear of security breaches and growing regulatory requirements are driving growth in the proportion of IT spend dedicated to security, according to analysts.

"Companies are spending a lot on IT security but it won't solve your problems unless you have policies and procedures in place, that are managed, maintained and continuously renewed," Hart said.

See also:

UK law firms fall down on security

Security breaches cause 'significant' number of legal practices to lose clients  07 Jun 2004

DTI bemoans security standard take-up

UK firms may be compelled to take data protection more seriously  17 Feb 2003

Government promises safer school surfing

Review of web filtering, monitoring and detection software to restrict access to inappropriate sites  27 Jan 2003

UK still vulnerable to hackers

Dramatic fall in recorded attacks played down by experts  05 Dec 2002

Bush allocates $900m for cyber security

Research and education grant to tackle hackers and terrorists  29 Nov 2002

Security is everyone's responsibility

E-commerce minister Stephen Timms writes exclusively about the need for clear security guidelines if future generations are to benefit.  31 Oct 2002

Building security into the DNA of every project

IT is no longer the preserve of the few, and we need security policies that reflect this.  31 Oct 2002

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!