Continuing the trend of IT Security topics in my writings (you might think that I am doing some work that somehow ties to IT Security…), I ran across an article in Forbes posted on March 4th “Security Statistics Show That We Need To Reinvent Enterprise IT”. In this article, there are some staggering statistics regarding first the number of security breaches in large companies last year – “During 2013, at any given time, between 68% and 82% of the S&P 500 companies had been compromised with an externally observable event”. Further in the article a survey revealed that IT employees of these large firms state that “Businesses Put the Blinders On: 73% of respondents believe their organization is safe from security threats”.
In my last post (“In The City”) I stated “Organizations pay for virus protection based on how they value the risk to the organization and how clients or customers would view their decision.” I am thinking now that I should rephrase this to add the word “should”. Organizations SHOULD pay for virus protection based on how they value the risk to the organization and how clients or customers would view their decision. As it may be that organizations are willing to tolerate security risks to deploy new systems, tools and technologies to meet shareholders profitability demands.
Gosh, big companies taking risks in the name of profits. Shocking, eye opening, and happens every day.
In some industries, such as Pharmaceutical, Healthcare and even Financial, have to meet government imposed regulatory requirements and this now includes some requirements around data security. Non-compliance with these regulations can lead to severe penalties. These regulations do not consider many of the ever evolving threats in IT security. Thus the corporations are on their own to decide their risk tolerance and determine investments in security.
Many companies now utilize a GRC program or board (governance, risk and compliance) to ensure that the company is operating ethically, address regulatory compliance and it is being applied to IT departments to ensure they support the current and future needs of the business and complies with all IT-related mandates. The challenge is this is not an automated process that continually monitors progress. In most cases it is an audit based function that reveals problems only after the audit takes place (if it even reveals all problems). In general the GRC program team does not have the technical expertise to ensure proper measure are taken to avoid breaches and rely on the IT departments’ assurance. The IT department is driven to meet budgets and support the needs of the business.
Security is not a need of the business until an event has occurred. Therein lies the problem. So here is your bad 80’s tune reference: