Four thousand information security professionals in 100 countries ranked management support of security policies, users following security policy and qualified security staff as more critical to securing their enterprise over software and hardware solutions, according to a study conducted by IDC and sponsored by the International Information Systems Security Certification Consortium (ISC2).
The third-annual survey, which was conducted via the Web, signifies a shift in the way organizations think about security with technology being the enabler as opposed to the end solution, the report said.
Allan Carey, manager for security services and identity management research at IDC, said organizations need to educate their employees about their policies in terms of what the policies are and what acceptable Internet usage is under those policies.
“Employers need to make sure (employees) sign off that they are aware of the policies and they understand what the policies are,” said Carey, who led the study.
Likewise, Mike Kinrys, business development manager at Toronto-based Informatica Corp., said employee awareness of the policies and procedures is often the problem.
“People may not be aware what’s in those dusty books,” said Kinrys. “People may have been given a talk when they joined the company years and years ago but then there’s no refresher courses and things may have changed.”
Terry McQuay, founder and president of Toronto-based privacy research firm Nymity Inc. said privacy breaches are often the result of non-IT related human error such as employees recycling documents as opposed to shredding them.
“Often that mistake is because they’re not following the policy,” said McQuay. “If you’re not following the policy it’s typically an education issue as opposed to a blatant disregard for policy.”
McQuay added that sometimes companies have policies without procedures in place, which might make it more difficult for employees to follow policy without a procedure in place.
Informatica’s Kinrys said social engineering and pretexting are examples of much easier ways of getting into an organization than hacking into their systems. “The weakest link is almost quite often the people themselves,” said Kinrys. “It’s not because they’re incompetent but they may not have been trained what to look for and what not to do.”
The study also found that the responsibility for securing information assets is shifting from the CIO to other C-level executives such as the CEO, CFO, chief risk officer and chief information security officer. IDC’s Carey said roles like chief risk officer, internal auditor and head of compliance have popped up in recent years thanks to new securities regulations.
“The U.S. market is more heavily regulated (than Canada),” said Carey. “It therefore has moved towards risk management earlier than the Canadian market.”
On this side of the border, Nymity’s McQuay points out that when dealing with personal information, the privacy laws in Canada dictate that a company must appoint a privacy officer to be accountable for the handling of that information.
“If it’s corporate information then it could be a security officer, it could be someone else in the organization,” McQuay added.
Down south, however, McQuay said laws that require organizations to notify their customers of a data breach within a specified period of time are compelling organizations to invest in people, infrastructure, procedures, training and policies.
The study also found that there are 1.5 million information security professionals worldwide in 2006 – an eight per cent increase over last year. IDC estimates the number will grow 7.8 per cent from 2005 to 2010 compared to the growth in the number of IT employees in the same time frame, which is estimated at 4.6 per cent.