Three years ago, IDC Canada research into IT security identified what was then described as a “disconnect” that existed between the risk apparent for many Canadian organizations and the effort invested to minimize that risk.
That is to say that a survey of 100 large (more than 500 employees) businesses in 2000 revealed most Canadian organizations had reported some type of security breach or unauthorized intrusion to their IT systems/networks. Yet most of those same respondents invested relatively little in IT tools and processes designed to deter incidence and minimize the impact of security breaches. IDC Canada research in 2000 showed that one in five respondents confessed they were aware that IT systems had been breached by unauthorized users – hackers, crackers and the like – during the previous 12 months.
The results were disconcerting and strongly suggested that most Canadian organizations were unprepared for and unable to deal with the risk of unauthorized intrusions and other external security threats.
Three years later, Canadian businesses are certainly much more IT security-aware and recent IDC Canada research shows many businesses and organizations routinely utilize anti-virus products, firewalls and encryption. Yet there remain serious IT security “disconnects.”
For example, a 2003 IDC Canada survey of approximately 200 organizations shows that more than 85 per cent of respondents identify lost business productivity as the typical impact of a security breach. However, most of these same respondents admit they do not calculate the cost of these business impacts, so there’s at least some question regarding whether Canadian organizations are fully aware of the seriousness and impact of security breaches.
Another research question asked this same group of respondents, “to what extent does management at your organization access and act upon routine reports (e.g. audit, logs, risk and vulnerability assessments) summarizing security?” It speaks to the fundamental issue of whether the business part of business truly reacts to and applies the advice and recommendations of “front line” IS professionals.
A “disconnect” is seen in the answers from two disparate groups: business and IS/IT professionals. Approximately 70 per cent of business professionals who responded to the question said they “routinely” or “frequently” act upon these security reports. However, less than 45 per cent of IS/IT professionals said likewise. More than 40 per cent of IS/IT professionals who responded said management “seldom” acts upon these reports, while approximately 12 per cent said management “never” acts. Conversely, approximately 27 per cent of business professionals likewise report that management “seldom” acts and only 6 per cent say management “never” acts.
This “disconnect” in perception suggests most business professionals within an organization believe one thing, while IS/IT professionals within those same organizations often believe something else. One group perceives business management being appropriately reactive to routine security assessments, which would typically gauge how prepared a company is to counter or minimize the impact of security threats, while another group believes the opposite.
This “disconnect” in terms of perception may suggest a number of reasons for differing perceptions, which might include:
– That IS/IT groups within businesses are not plugged into the business side of their organizations so that they may not be aware of the action taken by management to their audits and recommendations. In this case, IS/IT is a separate organization that remains “disconnected” from the business itself.
– That there remains an inherent mistrust between IT/IS and business – that old perceived attitude by some business professionals that IT/IS seeks to justify its importance and may be over-reacting to apparent security risk. Business, in the eyes of some IT/IS professionals, may not be reacting seriously enough.
– That organizations may believe security issues are being addressed, even though there may not be investments made in IT solutions.
There may be other issues at play, but the key concern here is that business and IS/IT don’t appear to be on the same page when it comes to IT security. The primary reason for this situation harkens back to a traditional “disconnect” that exists in many Canadian organizations, which is: who is and should be responsible for IT security? Research from three years ago showed that IS/IT was typically handed the task, but that logically responsibility should fall to business since the impact and implications of a breach most profoundly affect the business itself.
Today, many Canadian organizations recognize IT security is an issue that must be driven from the boardroom level of business. There’s increasing recognition that IT security cannot be addressed in isolation and the efforts of IS/IT in assessing, implementing and maintaining a security posture must be guided by the imperatives and requirements of the business itself.
The “disconnect” between business and IS/IT with regard to security may be narrowing, as IDC research in North America reveals almost 70 per cent of 883 survey organizations have a security officer in place – a role that, among other things, is designed to bridge the security concerns gap between business and IS/IT. In addition, in an effort to minimize the impact of the worst of all possible business disasters and security breaches, this same survey shows 82 per cent of large organizations said they would within the next year have business continuity plans in place.
The “disconnect” between security risk and efforts by Canadian organizations to minimize the impact continue to exist and be revealed. The challenge remains to bridge the gaps.
McLean is director of outsourcing and IT utility research for IDC Canada Ltd. in Toronto. He can be reached at email@example.com.