Welcome Guest. | Log In| Register | Membership Benefits

News In Review

August 31, 1998


Acceptable Risks

Continued...page 4 of 4

InformationWeek Research Security Survey icon
Print this story
Print this story
Another key element of an enlightened approach to security is a companywide campaign to promote user awareness. But that campaign "can't just be an annual brochure," says Jim Patterson, VP of security and telecommunications at OppenheimerFunds Inc., a mutual fund company in New York. For example, Oppenheimer occasionally has a life-sized cardboard figure named "Mr. Security" around its Denver campus. The character is dressed as a baseball umpire and holds a stack of index cards with information security tips for Oppenheimer's 1,800 employees.

Chart PNC Bank has a booth dedicated to security at its annual company technology fair. "It's another way of getting employees to understand these issues," CIO Mikula says. And as a light-hearted reinforcement, the bank hands out fortune cookies with security tips tucked inside.

Such internal campaigns are critical because, while the mainstream media dwell on security threats posed by diabolical hackers or info-terrorists, survey respondents say their biggest threats are still internal: 58% of companies surveyed believe one or more authorized users have abused their systems in the past year. Unauthorized users broke into 24% of the sites; suppliers or customers together accounted for only 12%. "It used to be an 80/20 rule for inside/outside threats," says PricewaterhouseCoopers' Lobel. "It's a 60/40 rule now."

Another change is the people directly involved in making security-related decisions. While security remains an IT function, some of that responsibility is gravitating toward the business side as the Internet burrows into various parts of the company, such as the purchasing and marketing departments.

"We are doing more transfer of ownership of applications and security from IT to business owners," McKesson's Villani says. For example, Villani handles security policy; but the the company's VP of customer operations is responsible for applying it to the extranet.

Chart Elsewhere, the spreading responsibility for security is causing tense relationships and ill-informed decisions. "Techies want to protect the firewall at all costs," says Roger Walters, CIO at consulting firm Booz, Allen & Hamilton. "But sales and marketing people want to underprotect. The result is general management executives have to make a decision about something they don't know anything about."

Global Risk
Security has never been the business world's most important business goal. And yet, most IT managers would consider "trust" to be a fundamental requirement of doing business on the Web-especially internationally.

On average, survey respondents rate information security a 7.4 on a 1-to-10 scale, with 10 being the highest priority. Respondents say the most important security techniques are blocking unauthorized access, establishing network security, securing top management commitment, and gaining end-user awareness. On average, most companies rate themselves a 6.9 on a 1-to-10 scale, with 10 being extremely successful, an evaluation that suggests most respondents see room for improvement.

The survey strongly suggests, however, that even if companies do well establishing these best practices, they must seek ways to do even more with their existing resources. Managing risk is now a top priority.

Chart McKesson CIO Villani remains optimistic. "If you don't pay attention, security is going to be a problem," he says. "But if you do pay attention, you can eliminate most of the risks."

With additional reporting by Tom Stein and Karen M. Carrillo

Return to page 1, 2, 3

See sidebar Software Helps Companies Control Web Access
and see more charts from our Security Survey.






Back to This Week's Issue

Send Us Your Feedback

Top of the Page