CMP -- United Business Media

Intelligent Enterprise

Better Insight for Business Decisions

 UBM
Intelligent Enterprise - Better Insight for Business Decisions
Part of the TechWeb Network
Intelligent Enterprise
search Intelligent Enterprise
Advanced Search

RSS
Webcasts
Whitepapers
Subscribe
Home



July 26, 2002

Securing the Future

Information security needs to become a top priority for organizations

by Mark W. Doll

Today's business leaders face a dizzying array of business challenges: An uncertain economy, an increasing reliance on connectivity, and continued cyber threats (most of which never even get publicly reported) are just three. For many senior executives, business school simply never addressed these issues. And right now, they're all significantly interrelated and critical to business survival, a fact that many organizations haven't fully grasped.

The so-called new economy may have burst, but reliance on information technology and connectivity hasn't changed. In fact, it's likely increasing.

But, in the face of the economic downturn, focusing on information technology and its inherent risks may not be the top priority for senior management — even in a customer-driven economy. However, the reality is that customers, shareholders, suppliers, employees, and other stakeholders are unlikely to differentiate between the failure of an organization's IT infrastructure and the failure of the company itself. More than ever, an organization's connectivity with its stakeholders and customers is the lifeblood of the organization. But you wouldn't think that based on the results of a recent survey Ernst & Young conducted with more than 400 global companies.

Security Survey

Ernst & Young Security Survey

Here are some other top-line results of the survey that should grab the attention of businesses or at least their stakeholders:

  • 75 percent of businesses have experienced unexpected interruptions in critical business systems.
  • Only 53 percent of organizations have business continuity plans in place.
  • Just 41 percent of organizations are concerned about internal attacks to their networks, despite overwhelming evidence that the vast majority of network attacks come from within an organization.
  • Less than 50 percent of businesses have information security training or awareness programs for their employees.

In the survey, Ernst & Young asked IT directors and business executives in global organizations whether they were confident that they would detect a network systems attack. Only 40 percent were sure that they would. It probably shouldn't come as a surprise that the survey also found that 40 percent of organizations don't even investigate information security incidents. (Additional survey results are available in the sidebar at right.)

Information security, unfortunately, is still often regarded as a technology issue to be left to the IT department. As a result, businesses develop technology solutions that just don't have the business processes (such as effective management and training) in place to support them. This needs to change.

Information security needs to become a corporate governance issue that gets actively discussed in the boardroom. In many instances, that's already the case and large budgets have been assigned to address information security concerns. But too often, boards may not fully understand that significant investments in technology can be undermined by the absence of testing IT processes or simply failing to equate a network infrastructure with the natural structure of the business itself.

For example, an organization that relies on suppliers and outside business partners as part of its "extended enterprise" needs to be sure that those third parties have taken the same precautions toward mitigating information security risks as their own organization. Sometimes, that's not the case.

Strategic Security

However, there's good news: 74 percent of respondents to the Ernst & Young survey said that they believe their organizations have an information security strategy. However, the question is whether these strategies go far enough. An information security strategy must provide an organizational framework for making decisions and agreeing on priorities. To be of real value, it must be driven and embraced by line and functional business leaders across all disciplines within an organization. And the strategy must include a sound consideration of the nature of the business risks and the organization's culture.


Most Popular This Week
Kimball University: Better Business Skills for BI and Data Warehouse Professionals
Business Process Management 101: The Basics of BPM and How to Choose the Right Suite
Forrester Sees Convergence Trend In BI, Search
A Mashup Gives New Meaning to 'Military Intelligence'

IE Weekly Newsletter
Subscribe to the newsletter
    Email Address