Too many businesses are still taking the approach that information securityis the job of a CISO or the IT department, when it really should be part of any key business plan, according to Alan Calder, CEO of IT Governance.
Security and data protection has never been far from the headlines over the last 18 months or so thanks to the exploits of hacktivism groups like Anonymous and LulzSec as well as state-sponsored cyber attacks, such as those rumoured to have been launched by China and aimed at the United States.
But while these hack attacks have pushed security up the agenda for many businesses, a worrying number are still not taking the issue as serious as they should be. Speaking at the CRESTcon 2012 event recently held in London, Calder said that improvements have been made, but there is still plenty to do.
Calder said that the financial sector and, to a lesser extent, critical national infrastructure and utility companies have a "working knowledge" of the issues they are facing.
"[However] utilities are still dealing with bigger issues so cyber security is way down the list of things they are dealing with," Calder added. "For most of the rest of the UK, boards are still treating information security as something which is the job of the chief information security officer (CISO) or the IT department."
"It is not on their list. Or if it is on the list it's allocated to the head of IT, which is probably the least sophisticated approach a board could take to information security risk," Calder added. "Any board that is doing its job properly is going have somewhere between five and 10 real information security risks as part of its risk environment. It will have very clear ownership of those risks and very clear processes in place to deal with them."
No comments:
Post a Comment