Fewer qualified security experts puts businesses at risk

McAfee revealed findings from new research which shows that businesses have reached a compliance breaking point and that organizations are finding themselves more vulnerable to reputation risk due to new compliance-related legislation emerging throughout the world.

The report, commissioned by McAfee and conducted by Dr. Jonathan Liebenau, senior lecturer in Information Systems, Department of Management at the London School of Economics (LSE), suggests that businesses are struggling to put the necessary IT security resources in place to comply with government regulations. Titled ‘International Perspectives on Information Security Practices,’ the research — believed to be the first of its kind — warns that a firm’s reputation could be damaged by disclosure laws now in force in the U.S. that look set to become more widespread worldwide.

Limited Expertise

The report also reveals that many businesses are reliant on a very limited number of specialists who can manage information risks and understand compliance. Companies that lose these internal capabilities often struggle to find replacements either on the labor market or through outsourcing.

Forcible Disclosure and Reputation

Perhaps the best example of the direct link between IT security and the strategic business function is the requirement to give public notice of a security breach. This has been the law since 2004, but poses serious risks for business reputation and business continuity. A recent survey by the Ponemon Institute revealed that one-third (34 percent) of customers would change their bank after a single security breach.

Dr. Liebenau found that by mid-2006, reports of security breaches in the U.S. were numbering between eight and 10 per week. To date, almost 94 million records containing sensitive personal information have been involved in security breaches.

“The mandatory reporting of security breaches will have far-reaching implications on a business’ reputation management,” said Dr. Jonathan Liebenau, senior lecturer in Information Systems, Department of Management at LSE. “The practice of reporting breaches, now commonplace in the United States and quickly spreading to several regions in the world, will impact the way individuals and organizations think about information handling in general and reputation protection in particular.”

Increasing Risk?

Surprisingly, compliance requirements may be increasing security risk as guidelines, standards and compliance concerns overshadow business security needs, and as the costs involved in monitoring and meeting compliance requirements can take resources away from dealing with live security threats.

Theory vs. Practice

Researchers found that CIOs, security officers and IT directors believe compliance is playing an ever-increasing role in IT security, but many businesses are struggling to cope with its requirements. According to one banking security expert in the U.K.: “We understand SOX and what it’s good for, but in practice you do what you can.”

The key findings in this area are:

— Evaluation of security practices is often very subjective due to a lack

of good benchmarks

— There is no convergence of the security practices within businesses.

Those responsible for policies are often different from those who

manage and maintain the system security

— Information security executives and managers resent the considerable

effort spent on monitoring changes in policies and regulations and then

redesigning systems in order to comply with these changes

Evaluating Sarbanes-Oxley

The consensus among computer security professionals is that the SOX has been a boon to information security, elevating the importance of IT security within corporate life. However, there is a widespread view among the senior IT personnel interviewed that it is too vague in its specifications and at the same time too prescriptive in its implications.

Dr. Liebenau conducted interviews with IT directors, security officers, CIOs and CFOs in large global financial services organizations across Europe, Asia and North America to find out how they assess and prioritize information security risks.