CIO Asia – Issue – The Six Secrets of Highly Secure Organisations

How many of these “Secrets” does your organization practice?

CIO Asia – Issue – The Six Secrets of Highly Secure Organisations

WHAT WE THINK
It’s good to be confident. It’s better to have good reason to be confident. Here are six secrets that we believe will help you work your way into the Best Practices Group.

The Six Secrets

1. Spend more. Globally, respondents said infosecurity accounts for less than 11 percent of their IT budgets. The Best Practices Group claimed 14 percent.

2. Separate information security from IT and then merge it with physical security. These disciplines can either exist under a single CSO or as separate entities governed by an executive security committee.

Over the course of the next year:

3. Conduct a penetration test to patch up network and application security (the Best Practices Group was 60 percent more likely to do this than the average respondent), and perform a complete security audit to identify threats to employees and intellectual property. (The Best Practices Group did this far more often than the average respondent.)

4. Create a comprehensive risk assessment process to classify and prioritise threats and vulnerabilities. (The Best Practices Group was 50 percent more likely to do this.)

5. Define your overall security architecture and plan from the previous three steps. (Two-thirds of the Best Practices Group did this as opposed to only half of the respondents overall.)

6. Establish a quarterly review process, using metrics (for example, employee compliance rates) to measure your security’s effectiveness. This will help you to use your increased resources more efficiently.

And eventually, you’ll get locked into that virtuous cycle.

And later in the article, an interesting result reported about real-world HIPAA compliance:

Why Uncle Sam Makes a Poor CISO

The US government has taken on information security. It has sought to influence security practices through regulation—the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act, and others—and the Department of Homeland Security’s colour-coding system, which defines how private-sector security professionals should respond to a given level of risk. But the “2004 Global Information Security Survey” indicated that either the regulations were poorly conceived or written, or that our respondents had a slovenly attitude toward compliance. Or both.

In any case, something’s gone awry. (See “What Do You Do When We Go to Orange?”)
Only half of all U.S. respondents claimed to be in compliance with HIPAA, and less than that (41 percent) reported that they comply with Sarbanes-Oxley. Of course, not every respondent needs to comply with HIPAA. But if we look at those respondents in the industries that do%u2014health care, pharmaceutical, and biotech at 71 percent, 45 percent and 40 percent compliance, respectively — the story doesn’t change all that much.

Security professionals are dubious about the impact of both current and potential future regulation. “No regulation is preferable to bad regulation,” says the CISO of a major electronics company. “On the other hand, if we don’t regulate, we’re heading to a bad event with critical infrastructure, and then you’ll end up with regulation passed in reaction to the bad event. It would be the worst of both worlds.”

Sorry, comments are closed for this post.