State of Information Security: Did You Listen?

This article is reminiscent to a man tying a knot around his finger as a note to remember something important. In 2003, there was a State of Security forum that discussed the importance and failings of information technology(IT) security. The forum is post internet boom era, and companies had taken their place in the market. Nevertheless, IT security was an issue because the need was bigger than the resources necessary to meet the need. Moreover, this was the point for the industry where companies were better at marketing product to generate revenue than they were at closing the backdoor to make sure the money stayed. Five years later, another forum on the State of Security was held, and the same people addressed the same issues. This group presented conclusions on where the industry stood after the initial recommendations, and charted growth, regression, or new problems. The purpose of this paper is to address the tightness of this knot around the IT finger.

At the first State of Security forum in 2003, there were suggestions that were given to improve information security, and some conclusions. The first conclusion was a correlation that confident companies do not run their information security through the information technology(IT) department. Moreover, running information security through the IT department actually hindered security(Berinato, 2003). Information security was carried on the IT budget, but not run through the department, and consequently, this infrastructure protected the companies better. The more the company invested in information security as a separate IT entity, the stronger their infrastructure and security became. The ultimate conclusion and recommendation was to avoid folding information security into the IT department, and fund information security as its own functional responsibility. Further recommendations for information security included: Refocus a security program so that it takes into account the smaller, more frequent threats as well as "the sky is falling" threats; assign a disciplinarian, and vigilantly enforce security rules(2003). However, these recommendations are easier said than done. Because at the point of the first forum, companies still had a difficult time identifying breaches, and did not know the status of their security. The fifth forum presented the fruits of their labor.

In 2007, Scott Berinato follows up his previous article concerning the state of information security. The conclusion that the article presents is that the recommendations were followed to a point. Companies increased their spending on information security by 57%. However, there is still a haziness about the strength of the security. Although the spending has occurred, companies have folded information security into the responsibility of the IT department, and that was against the recommendations. The reason why it was not recommended was to have a department to serve as a watchdog for the security breaches. IT departments do not have the wherewithal to watch over information security and keep the rest of the company's technology working. Just like it was warned, the lack of focused responsibility has lead to gaps. Furthermore, there is still a lack of available talent to meet the need of increased security. As a result, IT is spread too thin, and security is getting breached. Furthermore, there is a lot more finger pointing as to who is the blame for the security breaches within a company.

Scott Berinato presents, and I agree, that the state of information security is eroding, and that it is important that companies have a renewed focus. Information security should be its own entity, with its own leadership, and the department should protect the company and enforce accountability for security breaches. By separating the information technology(IT) department from information security responsibilities, a company would be more secure.

References:

Berinato, S. (2007). The fifth annual global state of information security. CIO Magazine. Retrieved July 31, 2008, from http://www.cio.com/article/133600/The_Fifth_Annual_Global_State_of_Information_Security?contentId=133600&slug=&

Berinato, S. (2003). The state of information security 2003. CIO Magazine. Retrieved August 23, 2006, from http://www.cio.com/archive/101503/state.html