Current Issue
JOnline
Past Issues
Journal Author Blog
Submit an Article
Advertise
CPE Quizzes
Current Digital Journal
Journal Mobile Apps
You must be logged in to post a comment to this blog.
ISACA > Journal > Journal Author Blog > Posts > Why Does Information Security Not Seem to Get Any Better?

5/29/2012

Why Does Information Security Not Seem to Get Any Better?
Robert FindlayRobert Findlay, CISA
 
I am always struck that, wherever I work, the basic fundamentals of information security are almost never implemented. It does not seem to matter in which industry, which culture or size of IT department; key controls are rarely if ever addressed when a new system is implemented. If they are, they are rarely thought through, poorly executed, quickly forgotten and allowed to deteriorate. And this has been happening consistently during my 30-year career in IT. And it never gets any better, despite greater audit attention, well-publicized failures and severe repercussions for companies that get it wrong.

Let us take disaster recovery (DR) as a good working example. Although a must have for the vast majority of systems, it amazes me how often it is not even implemented. And often when it has been, it clearly does not cover all the components, backups are not in place, it is never tested, and inevitably there is a failure and the IT manager is held accountable. So why do IT managers not protect themselves and implement the DR solution as part of the initial system implementation? Indeed, why do they not do any of the rather simple security controls that would make their lives so much easier in the medium to long term?

A few reasons have jumped out over the years. First, decision makers, i.e., the non-IT folks, usually start projects often without complete IT input and overlooking some important aspects of a secured initial stage including DR planning. Second, the challenge senior IT team members are facing with limited or no qualifications in the field. This makes it more difficult for them to figure out network security or user restrictions on implementation when the decision makers are focusing more on strategies and new paradigms. Finally, most IT members with good technical training should make the effort to attain more IT security qualifications.

So here is my advice for IT teams when auditing a new system:  Make sure that the decision makers have included all needed IT aspects for the project, such as a budget for testing, development and DR environments, and ensure that all IT team members are fully immersed and capable of managing security and DR.
 
Read Robert Findlay’s recent Journal article:
Five Questions With…ISACA Journal, volume 3, 2012
Posted at 7:00 AM by Journal220 | Permalink | Email this Post | Comments (2)

Comments

Re: Why Does Information Security Not Seem to Get Any Better?

I agreed your point of view. Information Security can get better. However, the main concern is the communication between IT members are always problem.

Information security is not only talking to the architechure and technology, but also the team work between IT members. The freamwork of ITIL and Cobit give a very clear details on the job role of any aspects. To effectively to use it, you need communication, this communication is not talking about the technology but about people. Lots of businesses and enterprises focus on how much budget putting into technology to making better ISec enviroment. But so far, not much of them are investing on the training of teamwork.

YukChuen at 5/29/2012 9:53 PM

Communication

Thats a valid point on communication and it possibly starts at the top where a strategy isnt documented so no-one else knows what the strategy is.  From that point onwards you have disparate goals and targets and then people start doing their own thing.
I think also though your point could include attentiont p processes.  A technology is often invested in as you say, and i think then management often forget to actually put some processes in arpoun dit.  For instance when a new firewall is set up , very soon a barrage of rules exist and no-one knows why - they are not documented, no processes are put in place to add or repeal rules and no communication about the firewall and its rules take place.  Very soon there is a security hole from the implmentation of a security solution! 

I would bring this back to my original points though that CIOs are often not up to the job and techies need to have a bit more security focus and training.
Bob Findlay at 5/30/2012 7:50 AM