CPOs and CSOs: Solutions or just titles?
One area of possible improvement in Australian businesses tackling the cybercrime issue is to adopt a trend that is taking off in the US. Chief Privacy Officers or Chief Security Officers are becoming more prevalent in large US companies to help combat breaches of company assets. These officers are responsible for all aspects of security, not just the IT-based counter-intrusion area.
Unfortunately, it seems Australian organisations are slow to adopt this idea.
"The trend of a dedicated CxO has not followed in other arenas that are equally important to busineses, such as the Chief Knowledge Officer, the Chief Technology Officer and the Chief Morale Officer," says David. "I would not expect this trend to be any different when it comes to privacy and security, as it has already been shown that Australian businesses are on the whole complacent about security at the moment."
Com Tech's Smith believes that Australian businesses are getting there but it is taking time. "In most cases, security is the responsibility of the CIO [Chief Information Officer]," Smith explains. "That said, some corporate and financial institutions have Risk Management departments and security managers that feed the relevant information to the CIO."
Overall, however, both Smith and David agree that the key to solving this issue lies in conducting proper risk analysis and then implementing a solution that reflects the results of that analysis. More importantly, after a technical and staff security solution is put into place it should be updated and maintained on a regular basis. Ideally, this should be done by a dedicated security officer, or added to an existing officer's duties.
"Security is a process, not a solution," says Smith. Implementation and maintenance is a continual process--ensure that the organisation is aware of the continual issues they face and employ (or outsource) the relevant expertise at the outset."
InterSect Alliance's Purdie also agrees with conducting a risk analysis and suggests that companies should take the organisation's risk profile into consideration when training employees and IT staff. Purdie also notes that most of the employee training with regards to security issues tends to take place in-house. In fact, considering the diversity of many organisations' systems and network architecture, this is essential.
"In situations that we've been called on to offer such training, we try to spend time with some key players in the organisation to get a good understanding of their business objectives, and how those objectives are reflected in their security risk profile," says Purdie. "Although there are some general security concepts that are common between many organisations, we generally find that the differences outweigh the commonalities."
However, Purdie also notes that there is a major security issue with former employees that have technical knowledge of an organisations' infrastructure and might have left under difficult circumstances. "The risk posed by disgruntled, technically literate employees is, unfortunately, often significant," explains Purdie. "When such a person is released from employment, it often promotes an interest in IT security as managers consider the potential repurcussions."
These risks can be counteracted so long as security issues remain a pervasive part of the organisation's operations, says Purdie. "The challenge for an IT security team is to make sure that thinking about IT security issues doesn't occur in such exceptional circumstances but is an everyday part of business."
