Data security 'flouted by workers'

Unfortunately, our studies have also shown that it often takes a data breach incident before an organisation will finally get their wake-up call and take data security seriously.
I don't understand why this surprises us when we behave the same way in the real world. Take traffic lights (and other transportation related changes) for example: I've seen too many cases where it takes a traffic fatality before people and the transportation authority (in the US, the Department of Transportation) decide to implement additional controls (i.e. traffic lights or other roadway improvements).

Two reasons come to mind regarding people's apathy regarding security:
  1. Is there appropriate management support for information security throughout the enterprise?
  2. Is there an appropriate and measured security awareness and education program?
Src: Data security 'flouted by workers' | BCS
Link to Press Release from Ponemon Study


Dennis_London said...

You forgot about cost justification. Most people won't initiate any security initiatives until an outage, attack, or outbreak impacts their bottom line.

Information Security has at least made it from the back room to the board room. And those in the board room are extremely concerned about how much money an incident cost them. If the focus towards security is measured as a cost to prevent the cumulative cost from an incident, then the you will win the backing of the higher management teams.

Let's face it, they don't care about the bells and whistles, they just want to know that the money spent is going to keep the company name, and theirs, from being in the media for a breach/incident.

DrInfoSec said...

Dennis's point about cost justification reinforces the first bullet point in my original post. Without appropriate support for Information security, companies are locked in a reactive cycle of risk management.

In order to evolve from a reactive stance (event occurs, costs incurred, security gets management's attention) to a pro-active stance (i.e. actively track and manage risks), executive management and information security have to improve their ability to communicate.

In a perfect world, both sides would modify the way they communicate to reach each other. In practice, the information security side has to find the right approach to reach their management's attention to appropriately convey the business impact of non-action.