Welcome priya_c_v, the newest member
New user?    Register    Login
http://www.attackprevention.com
AttackPrevention > Security Management > Comments on No Accountability in Information Security


Date Submitted: 06/18/05
Hits: 56
Rating: 00000 based on 0 votes

No Accountability in Information Security



Added by Papergrl

Written by: Mitchell Rowton

If an accountant loses track of a million dollars, he gets in trouble or loses his job. If a school bus driver gets a speeding ticket, he gets in trouble or loses his job. We could go on and on with examples.

So why is it that when a fortune 500 company is brought to its knees from a 6 month old worm that had a patch available 12 months ago following a 16 month old vulnerability, no one gets in trouble?

Information security isn't held to the same standard as other industries. We aren't even held to the same standard as other areas of IT. Partly this is because the people who are responsible for administering the "you are in trouble" know very little about information security.

A Chief Information Officer may think of a virus outbreak as the work of a sophisticated hacker or virus writer, while it may actually be caused by a blatantly negligent lack of action from the information security department. If the CIO was more technical, he may realize that something wasn't happening the way it should have. He may place more accountability onto the information security department. The flip-side is that most technical people don't make good CIO's for large companies.

In fact most senior management has a distorted impression of their organizations security posture. They believe the things that cost the most money, like firewalls and IDS's, increase security far more than cheaper things like antivirus software, patches, and user awareness training.

We need senior management who is willing to react to some of the latest worm outbreaks by saying, "If this happens again, you will lose your job."? Until senior management starts holding security professionals accountable for their actions (or lack of action) we will continue to hear about old worms taking down large companies.

I'm not trying to downplay the work of most security professionals, most do an excellent job at keeping bad guys out of their network. I'm referring to the person you think of when you read news about a virus spreading over port 1433 that penetrates to the internal corporate network. All security professionals worth their salt fume over these headlines, maybe more senior management should fume.



You don't have permission to post replies.

Please login or register.

Copyright 2008 AttackPrevention