Why Companies Turn to IT for Protection in the Information Age

Mar 1, 2008 12:00 PM

           

EDITOR'S NOTE: There are six different areas of knowledge that successful security programs of the future must incorporate, either in the knowledge base of their leaders or in the collective knowledge of the leading staff. They are government elements, security organization, emerging issue awareness, IT security, business elements and executive leadership. This is one in a series of articles covering each knowledge area. For security professionals, success in the future will be gained only through a blended skill-set — a culmination of all the streams. To read other articles in the series - and to view a self-assessment tool - visit securitysolutions.com/corporate/next-generation-leader.

While this series examines the knowledge areas in chronological order, starting with the area that was most prominently hired in the 1950s and ending with today, the big picture of the next-generation security leader is cumulative. Knowledge in all six areas is essential for the security leader who wants to continue to excel at the executive level in the future.

Information protection has been around since sensitive information was first put on paper. It resided mainly in government agencies and revolved mostly around internal movement. That is, files would move about within the organization, but were rarely passed intentionally to external sources. Documents were moved by courier and were stored in filing cabinets, and securing them was a matter of watermarking and carefully controlling access.

With the advent and growing popularity of the Internet in the mid-1990s, information protection changed quickly and dramatically. Businesses were already creating and storing digital data, but suddenly these digital information assets could be moved within or outside the organization within seconds. Information technology security grew to include the protection of files, networks, databases, transactions, applications and much more.

The increased business and consumer use of the Internet led to increased online attacks, which helped to promote the influence of and management support for IT security. A few high-profile attacks — such as the Code Red worm that infected 250,000 systems in just nine hours on July 19, 2001 — raised IT security to even greater prominence.

Strengths and drawbacks

In many organizations, IT security grew into its own entity outside the “security department.” This happened in part because the security leaders of the time, who had been promoted through the organization were, in many cases, caught off guard by the business shift to IT. Many of these leaders were so focused on gaining the security knowledge they lacked that this new vulnerability developed without their notice. Suddenly, it became so large that it demanded attention. By then, the IT organization had created its own security positions — positions that in some businesses eventually outranked the security director to become the leading security offices in the organization.

Those with IT security backgrounds brought valuable knowledge to their organizations:

• They knew the systems, applications and platforms the business needed to perform at its peak in the information age. They knew — or knew how to discover — the vulnerabilities of these systems, applications and platforms, and they knew how to shore them up. Basically, they enabled the business to expand safely into the Web.

• They enabled regulatory compliance. The information security requirements of the Sarbanes-Oxley Act (SOX) and the Federal Sentencing Guidelines gave IT security a leading role in compliance. Their knowledge of the solutions available and in place helped the business comply more quickly, thus avoiding fines.

• They created a large body of standards and repeatable processes that enhanced IT security across organizations.

  IT security professionals also brought some limitations to the leading security role. Chief among these:

• They did not enforce punishment for cyber crime. Because IT security professionals didn't have any background in law enforcement or investigation, they did not work to stop cyber criminals from exploiting their networks. Instead, they focused their attention on patching up the system once the damage was done. This held true in the vast majority of the IT community, and it led to a preponderance of cyber crime that was almost social in nature because criminals didn't fear prosecution.

• There was a perception that IT culture didn't mesh with corporate culture. While many IT security professionals interacted regularly with other departments, other executives often observed their high-tech language and unfamiliar solutions and equated these with arrogance or standoffishness. With that said, certain types of positions often do attract certain types of personality, and the IT personality isn't always team-oriented. In fact, communication wasn't a priority for some IT folks, who created their own space in the organization and often did not venture out to work with other units.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

SUBSCRIBE

Select an Issue April 1, 2008 March 1, 2008 February 1, 2008 January 1, 2008 December 1, 2007 November 1, 2007 October 1, 2007 September 1, 2007 August 1, 2007 July 1, 2007 June 1, 2007 IP Security Supplement May 1, 2007 April 1, 2007 March 1, 2007 February 1, 2007 January 1, 2007 School Security December 1, 2006 November 1, 2006 October 1, 2006 September 1, 2006 August 1, 2006 July 1, 2006 June 1, 2006 May 1, 2006 April 1, 2006 March 1, 2006 February 1, 2006 January 1, 2006 December 1, 2005 November 1, 2005 October 1, 2005 September 1, 2005 August 1, 2005 July 1, 2005 June 1, 2005 May 1, 2005 April 1, 2005 March 1, 2005 February 1, 2005 January 1, 2005 December 1, 2004 November 1, 2004 October 1, 2004 September 1, 2004 August 1, 2004 July 1, 2004 July 1, 2004 June 1, 2004 May 1, 2004 April 1, 2004 March 1, 2004 February 1, 2004 January 1, 2004 December 1, 2003 November 1, 2003 October 1, 2003 September 1, 2003 August 1, 2003 July 1, 2003 June 1, 2003 May 1, 2003 April 1, 2003 March 1, 2003 February 1, 2003 January 1, 2003 December 1, 2002 November 1, 2002 October 1, 2002 September 1, 2002 August 1, 2002 July 1, 2002 June 1, 2002 May 1, 2002 April 1, 2002 March 1, 2002 February 1, 2002 January 1, 2002 December 1, 2001 November 1, 2001 October 1, 2001 September 1, 2001 August 1, 2001 July 1, 2001 June 1, 2001 May 1, 2001 April 1, 2001 March 1, 2001 February 1, 2001 January 1, 2001 December 1, 2000 November 1, 2000 October 1, 2000 September 1, 2000 August 1, 2000 July 1, 2000 June 1, 2000 May 1, 2000 April 1, 2000 March 1, 2000 February 1, 2000 January 1, 2000 December 1, 1999 November 1, 1999 October 1, 1999 September 1, 1999 August 1, 1999 July 1, 1999 June 1, 1999 May 1, 1999 April 1, 1999 March 1, 1999 February 1, 1999 January 1, 1999 December 1, 1998 November 1, 1998 October 1, 1998 September 1, 1998 August 1, 1998 July 1, 1998 June 1, 1998 May 1, 1998 April 1, 1998 March 1, 1998 February 1, 1998 January 1, 1998 December 1, 1997 November 1, 1997 October 1, 1997 September 1, 1997 August 1, 1997 July 1, 1997 June 1, 1997 May 1, 1997 April 1, 1997 March 1, 1997 February 1, 1997 January 1, 1997

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue