Tuesday, November 07, 2006

When Laws Aren't Enough

CIO Magazine published The Global State of Information Security 2006. The story contained what I consider to be some fairly disappointing results.

Complacency, it seems, abounds. A large proportion of security execs admitted they're not in compliance with regulations that specifically dictate security measures their organization must undertake or risk stiff sanctions, up to and including prison time for executives. Some of these regulations—such as California's security breach law, the Health Insurance Portability and Accountability Act (HIPAA), and non-U.S. laws such as the European Union Data Privacy Directive—have been around for years. ..

The information security discipline still suffers from the fundamental problem of making a business value case for security. Security is still viewed and calculated as a cost, not as something that could add strategic value and therefore translate into revenue or even savings.
(emphasis added)

No one spends money on insurance because it "adds strategic value." At best security spending can produce "savings," i.e. avoid losses.

Perhaps the problem is ignorant management?

From 2003 to 2005, the percentage of survey respondents saying they had fewer than 10 negative information security incidents in the past year remained steady. But this year, we included the option to answer that you do not know how many negative security incidents occurred. This year, nearly one-third of respondents admitted that they do not know how many breaches or unauthorized access events occurred within their organizations.

To a certain extent, that's understandable. Attacks can be hard to identify, and networks can be extensive. What's less comprehensible is that a significant portion of respondents said they have not installed some of the most rudimentary network safeguards. Only one-third of respondents have put in place patch management tools or monitor user activity. Less than half use intrusion detection software or monitor log files (the two best methods organizations can employ to detect breaches) and even fewer use intrusion prevention tools. Surprisingly, more than 20 percent of respondents don't even have a network firewall.

Let's assume these managers are not being brutally honest, i.e., they are not recognizing that it can be impossible to know of every incident. Instead, I assume they are admitting they just don't have the tools and tactices to measure incidents. That's disappointing.

There is some hope in certain industries.

Companies in the financial services sector—banks, insurance companies, investment firms—are more likely to employ a CSO than other industries. Security budgets in the financial sector are typically a bigger slice of the IT budget as a whole and increase at a faster rate than in other sectors. That may be because financial services companies are more likely to link security policies and spending to business processes. These companies are proactive, instituting formal information security processes such as log file monitoring and periodic penetration tests. More of their employees follow company security policies. Not surprising, financial services companies also have deployed more information security technology gadgets, such as intrusion detection and encryption tools, and identity management solutions.

It's obvious, therefore, that financial services organizations are far more likely—almost twice as likely, in fact—to have an overall strategic security plan in place. Consequently, they reported fewer financial losses, less network downtime and fewer incidents of stolen private information than any other vertical.

The reason for all this is also obvious. The product in the financial services industry is money, and money is the prime target of cybercriminals, including organized crime, insiders and even terrorists. Protecting the money is the industry's most critical concern. The past few years have seen a sharp increase in cybercrime (phishing, identity theft, extortion and spyware, to name a few). Anytime a security executive can demonstrate to top executives that investing in security can protect and increase shareholder value, he will be more likely to convince the boardroom to make that investment and make security a strategic part of the organization.

Financial services companies are more likely than enterprises in other industries to use ROI to measure the effectiveness of security investments (29 percent versus an average of 25 percent), and they also are more likely to use potential impact on revenue to justify investments (36 percent versus an average of 27 percent). These arguments work. More financial services companies saw a double-digit increase in their 2006 security budgets than those in any other sector.

Regulation plays a part too. The financial industry must adhere to the most stringent information security laws, and therefore it leads other industries in following proven, strategic information security practices.

I'd like to provide a slightly different interpretation. Financial services companies are used to dealing with threats as well as protecting assets. Everyone has assets to protect, but not until recently has everyone been within the reach of threats. Your risk is zero if you face no threats, no matter how vulnerable you are or how important your assets.


Anonymous said...

it's not complacency. it's the old adage, why blow cash into security initiatives when nothing has really happened.

Chris_B said...

Richard, the threat which causes financials to spent more on it/infosec in many cases is regulators not external attackers. If a company can not demonstrate compliance with an ever increasing list of audit checkpoints on it/infosec (vulnerability), there is a risk of facing fines or suspention/loss of the company license (exposure).

This is part of why financials are tending to put it/infosec into risk management along with control systems aimed at BASEL II and SOX compliance.