back to article IT bosses: directors don't take security seriously

Most IT managers believe that while their board-level superiors pay lip service to compliance and security, they don't really take it seriously, according to a survey carried out for software developer NetIQ. The survey also revealed that 51 percent of the 218 UK companies queried still do not have the processes and …

COMMENTS

This topic is closed for new posts.
  1. Pete James

    Easy target to blame

    But also not necessarily on target. UK for example companies have to conform with a sizeable amount of legislation across a wide area; technology security is but yet another one to deal with. There's only so many times you can threats about fines, prison terms, loss of customer confidence etc levelled at you before their impact withers. In fact, I'd argue the sheer amount of FUD thrown around by vendor contributes to this problem. Perhaps if they made a decent fist of presenting a good case for their product then it stands a far better chance of being accepted.

  2. Anonymous Coward
    Anonymous Coward

    I can only agree, but...

    It is true, Directors don't see the need for security. It costs money, doesn't bring revenue. Out of my own experience at an ISP: Statement of the CEO "We don't need firewalls"

    If you explain security to the board everybody nods but nobody wants to understand that security is revenue protection and not revenue generation. The result of this: The security department was dismantled and quite frankly after over 3 years figting a constant battle i also had enough so wasn't too sad.

    For the security manager/team there is the pragmatic way, wait until something serious happens, but then the board comes along and says the department didn't do it's job, the argument against it: We mentioned it already and worked out a solution but the business didn't support it. But the kicks up the backside do come regardless and they always come from the top down.

  3. RK

    if it costs money, they don't want to do it...

    my manager is old-school, which makes it hard to convince him of the need for pro-active security considerations. for most of his career, there really wasn't much need for it, so there must not be today. the main obstacle, though, really is that we haven't had any major problems -- so far -- "it's working fine, what need is there to spend money to fix a problem that isn't there? if they can't get through the firewall, we have nothing to worry about."

    it's the insurance argument i always heard from my parents, all over again: "if you need it you'll wish you had it!"

    i could do pretty much whatever i needed to secure things if it didn't cost anything to implement (other than my pay), but the second it starts taking money to make things happen, there's "no need for it."

  4. SImon Hobson Bronze badge

    But everyone *knows* it an It problem ...

    At least that is how it was treated at my previous employer. Not just security but a whole host of business issues (business continuity anyone ?) were conveniently labelled as "IT" issues and therefore delegated to the (already overstretched) IT dept. Oh yes, and did I mention budget ? There wasn't one !

  5. Anonymous Coward
    Anonymous Coward

    biz ppl...

    Yet another proof of how clueless business people are. It is a shame that people with a distorted view of reality (with just knowledge of MBA's, Marketing, "Sales", and the like) are the ones ruling the world---hmm.. that explains many things...

    These ppl have clever "business ideas" but know nothing about the field where those business will be...

    retarded.

  6. Anonymous Coward
    Anonymous Coward

    IT Department vs The Whole Business Community

    The epic struggle of the IT department versus the business departments rages onward. However, this really isn't about technology at all. It is about "data assets" regardless of whether or not technology is utilized. When asked, "What are your most valuable assets?" - Nine out of ten will say, "My people, and my core business functions". Very few companies are able to quantify their data assets unless it's a proprietary process or a trademark secret. I've heard business managers refer to security as the "barking dog or chicken little" syndrome. Let's face it, no business owner or executive will ever take information security seriously unless the consequences of not implementing mitigation strategies out way the cost of the safeguards. Simply put, it is the cost of doing business. Put the blame where the blame belongs.

This topic is closed for new posts.