back to article Who should be responsible for IT security?

Typically, when a cybersecurity problem arises, it’s the IT department that gets it in the neck. Ostensibly, that makes sense. After all, if someone is in your network mining your database for corporate secrets, it’s hardly the office manager or the accounts receivable department’s lookout, right? Perhaps. On the other hand, …

  1. Velv Silver badge
    Terminator

    It's not just cybersecurity that's being missed. It's security. So many businesses don't give a second thought to the threats the world now presents.

    Most businesses you can walk into with nothing but a receptionist to stop you. What about the back door where all the smokers go? The loading bay?

    Are employees wearing staff badges? Do you know everyone personally, or are there strangers walking around your office unaccompanied and unchallenged?

    I could go on, there are so many more security threats.

    Educating the Board about security risks is more than just IT. They need to sign up to reviewing all threats to the business. Cascade that down through the staff and you build a resilient business.

    1. Phil O'Sophical Silver badge

      So many businesses don't give a second thought to the threats the world now presents.

      Not new, I'm afraid. 30-odd years ago, when the IRA bombing campaign was happening, I visited a very secure building in London; badges, turnstiles, cases x-rayed, the lot. A minor fire in a kitchen triggered the smoke alarm, and everyone evacuated to the assembly point in a backstreet. When the all clear was given we all filed back in through the emergency exit door. Anyone could have mingled with the crowd.

    2. Preston Munchensonton
      Stop

      @Velv Security in general is a problem, if for no other reason than the persistent perception that security should be someone else's problem (as proposed in the article). Security is and should be a concern at every level, whether physical, cyber, or otherwise.

      If people would just think. Sigh.

      1. Anonymous Coward
        Anonymous Coward

        It's not only that. Security gets in the way of doing business and especially making money, at least in the short term. A business really needs a long-term vision to be able to appreciate security, but a business can have outside pressure preventing the long view (answering to investors, for example).

  2. Ledswinger Silver badge

    CISO on its own?

    The idea of elevating CISO to a board level appointment is a lovely idea, but I can't see it being successful - more likely the CISO becomes a sort of alter ego of the CIO. What might be a more credible option is a chief risk and security officer, with responsibilities including the business risk management & insurance, business continuity/emergency & pandemic planning, data protection and information security, audit, fraud prevention and business standards plus old fashioned premises security.

    The purpose of the wider scope is that all those things need doing in a large enterprise, they need doing well, and they almost always need a higher priority than they get. Split out the elements individually, and any C-badge is simply a pretence - the CEO and the CFO won't see this person as an equal. But there's a much better chance that a chief risk officer might have that clout, particularly if they are seen as protecting the longer term interests of the business rather than just saying "no". In my own business we've not rolled in the CISO, but we've had great success by having a chief business resilience officer encompassing most of the other activities mentioned above.

    1. James 100

      Re: CISO on its own?

      I think this depends very much on the business.

      For a bank, risk/security is very much a field in its own, so you have dedicated fraud specialists, policies, investigative tools etc. For most businesses, though, computer security should be very much an integral function of IT: the IT department should be aware of security issues, and factor that into all their procurement and policy decisions. In that sort of setting, splitting out security would be a big mistake, particularly in terms of budget. Who funds the firewall, IDS and VPN for example? Is that an IT purchase, or a security one - and what if they disagree? Supposing Security wants that shiny new Cisco IDS switch blade - but IT want to dump Cisco for that nice fast Extreme Networks core switch, which that blade won't fit? Who is responsible for SSL certificates, authentication policies, making sure new components are properly secured...? Recipe for disaster.

      1. Ledswinger Silver badge

        Re: CISO on its own?

        Recipe for disaster.

        Looking at the long and embarrassing list of IT and data security failures, I have to respond that the "all tech under one director" approach has been tried and found sadly and repeatedly lacking. The contention between spending the cash on shiney or on belt & braces exists everywhere across a business, but it usually is (and should be) the board of directors taking those decisions collectively on an informed basis. The dull choice of infrastructure hardware needn't tax the board, there's a CIO for that. But choices that can affect the continuity of the business, or incur multi-million costs and penalties, that's something for the board to agree.

      2. Robert Helpmann?? Silver badge

        Re: CISO on its own?

        For a bank, risk/security is very much a field in its own...

        Contrast this with retail where the main thrust of "security" is to reduce shrinkage (vanishing inventory). I caught the facility security manager installing malware infested freeware on her computer on a regular basis. I could not get her to understand that her machine was connected to every other one on the network, including and especially those the company used to generate profits.

  3. zen1

    To build on the post above,

    IT Security extends all the way out to the average user. Yes, the board can write edicts into stone and IT can implement the technology that may ultimately stop or report 95% of all nefarious activity, but it's in the businesses best interest to inform and educate its employees of what to look for, what to avoid and what not to do. Without those basic policies and procedures in place then it's like giving a double pneumonia patient a carton of smokes and wishing them a speedy recovery. After that, it becomes a relatively short waiting time UNTIL bad things happen.

  4. Anonymous Coward
    Anonymous Coward

    The challenge with security..

    .. is that it's not a nice horizontal function like practically anything else in a business, it is a vertical one cutting across every other layer and that creates structural issues that need to be addressed. The best solution I've ever seen was in an outfit where the CFO was actually line responsible for security, the argument being that it was a risk management component.

    I'm not entirely with the "nobody likes me" argument - that is a matter of how the job is executed. Security is far too often used by power hungry idiots whose main interest is not securing the organisation but more exercising their ego. Those people do indeed quickly end up in a "nobody likes me" situation and, as a consequence, become a security risk themselves (call it an internal Denial of Service attack). A business has to operate, and it thus has to develop a balance between risk, opportunity and budget. The CISO job is to assist with developing that balance and adjusting it where required.

  5. Daggerchild Silver badge

    *Seeeeeeeeeeeeeeeeeeethe*

    You cannot make a secure company from the components everyone wants to use. You can make a mint doing security, bailing water, sure, but the workplace is a lost cause as long as the commercial fileservers are on the same network as the browsers watching cat videos in Flash.

    You want to do it properly? You have to do it from the very start. There are ways to do it properly, but I have never, ever, found anyone who cared enough to want to use them. It'd involve not using web browsers or other large applications that favour features over security. i.e. most commercial applications.

    You'd need a scalable security crystal. An Open Source, very slowly grown, industry standardised, entire precooked company network in a box, made of defined physical components that interlock. Not much of a profit margin in selling standardised nuts and bolts tho.

    1. Sir Runcible Spoon Silver badge

      Re: *Seeeeeeeeeeeeeeeeeeethe*

      "Not much of a profit margin in selling standardised nuts and bolts tho."

      You'd be amazed though at some of things you can do to secure an environment with the basic tools and a decent process. Unfortunately the skills to do this cannot be taught in a 5 days 'Cisco God' course ;)

  6. Rol Silver badge

    The evil that lurks inside

    While much is being said of the physical aspects of security, the elephant in the room, piss poor software, hasn't really been brought front and centre and given the thrashing it deserves.

    Bespoke systems costing millions to develop, yet, have at their core, operating systems that have been nobbled by incompetents, marketeers, and divisive agents of the state.

    Coders, with a history of complete disasters, because they didn't bulletproof their code, are still being employed and head programmers still lack the tools to interrogate submitted code for security blunders. That it appears to work isn't enough to pass the security test, but for a few simple forays into abuse scenarios, nothing really gets tested.

    I agree wholeheartedly with Daggerchild, using off the shelf software and hardware is a recipe for disaster, at least until someone somewhere writes the program that will interrogate all other programs for their security weaknesses. A very hard ask, but I'm sure if approached in the right way, achievable. Perhaps, by defining the output and then testing the system with every possible input, must surely throw up anomalies that can be chased down.

    All we need now is a coding group that gives a shit. No! no, Microsoft, put your hand down, I'm looking at coding groups that don't do the states bidding.

    1. Anonymous Coward
      Anonymous Coward

      Re: The evil that lurks inside

      "I agree wholeheartedly with Daggerchild, using off the shelf software and hardware is a recipe for disaster, at least until someone somewhere writes the program that will interrogate all other programs for their security weaknesses. A very hard ask, but I'm sure if approached in the right way, achievable. Perhaps, by defining the output and then testing the system with every possible input, must surely throw up anomalies that can be chased down."

      Not necessarily. Because sometimes it's not the input itself that's the issue but the way it comes in. Say the input comes in just a bit off-cue due to a timing issue that's not the fault of any one program. Or perhaps one program that comes between two others alters something slightly but just enough to make it thread a disaster needle. Ultimately, some things just can't be figured out in any other way than to put it in the line of fire because no amount of testing, modeling, or piloting can match the true chaos of reality.

  7. Anonymous Coward
    Anonymous Coward

    The biggest threat to IT security is the CIO

    They didn't want anything to do with doing the work right the first time as opposed to getting a half-assed application into production "and fixing it after it goes live." And when that didn't work and companies started outsourcing data centers and infrastructure, they saw their little castles start to crumble. So now, in a pathetic attempt to regain relevance, they trumpet how security should belong to them. Right. Been there, tried that, you failed. Say goodbye.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019