The continuing rift between IT security professionals and ‘the business' has been highlighted by a new study that shows many organisations still attach little value to cyber security – even though they know the threat is growing.
This is despite the fact that over two-thirds of enterprises (71.8 per cent) recognise that the IT security risks they face from external sources have increased.
Richard Hunt, managing director of Turnkey Consulting, said: โIt is concerning to see that IT security is still not perceived to be an integral part of the business.โ
But CISO representatives say they are โnot surprisedโ by the findings.
Tim Holman, president of the ISSA UK user group, toldย SCMagazineUK.comย via email: โIt's not surprising to hear any IT professional think this way, where there is often a lack of top-down cyber security support in the organisations they represent. What's more alarming is that given the increased reality of external threats, business owners and boards are still reluctant to take cyber security seriously, and often see it as a grudge purchase.โ
Holman insisted: โGood CISOs aren't cheap, but worth every penny in articulating cyber security risks at a board level. The techies at the coalface are rarely seen as influential, but that doesn't mean businesses should ignore them, as they perform a valuable and obvious front-line defence against cyber attacks.โ
But he qualified this, saying that while โbusinesses need to start listening to the professionals they employ, professionals also need to start talking to the businesses, and in language they understandโ.
Amar Singh, chair of the Security Advisory Group of industry body ISACA UK and interim CISO, agreed that security professionals need to work harder to get their message across.
He toldย SCMagazineUK.com: โPart of the problem with IT and โthe business' has always been the inability of the IT professional to properly relate to and explain the business imperative. The more you call it โIT security' the less the business imperative – โIT security' remains an IT problem.โ
Richard Hunt at Turnkey focused on how CISOs can change the perception of security
โIt is important that change management activities are undertaken to ensure employees throughout the organisation understand their individual responsibilities when it comes to IT security,โ he toldSCMagazineUK.com.
โAn element of basic awareness training should be undertaken in any company which should be followed up with regular reminders. The form these reminders take will vary, as a newsletter will be well-read in one company where an intranet site is more effective in another.โ
The survey, โA Risk Perspective on 2014′, also found that 38.2 per cent of the organisations responding had experienced a fraud incident, up from 31.3 per cent the previous year. Likewise, 30 per cent had experienced a data loss that affected business operations, up from 17.1 per cent.
The researchers questioned 55 IT professionals, all SAP software users involved in security and controls activities.
This article was first published in the SCUKMagazine on 28th March 2014