Now that security is the legal responsibility of boardroom directors it is a whole new ball game for IT.
The under-funded IT department struggling with security issues is becoming a thing of the past because it is the directors who are liable, according to Feehills solicitor Martin McEniery.
But IT still needs to have the know-how when it comes to protecting assets and that means archiving evidence of breaches for legal and insurances purposes.
Meta Group senior consultant Michael Warrilow said the days are over of "pushing security down to IT on a limited budget ".
Warrilow and McEniary outlined a six-step approach to holistic security, to avoid liability.
One step involved loss minimisation, which requires IT managers to follow protocols when collecting evidence of security breaches.
"[After an incident] system administrators have the task of getting the system up and running and getting backup tapes, [rather than] make sure they have evidence. From a legal perspective [getting the system up] is not the right thing to do. It's better to pull the box from the wall and capture information that hasn't been tampered with," Warrilow said.
"When there is an episode, if IT doesn't follow the right protocols when trawling through evidence, it can make the evidence inadmissible, which means organisations are unable to make a claim [for insurance]."
According to Warrilow, Meta Group's discussions with CIOs reveal that their top three issues are alignment, creation of value of IT and leadership as CIOs increasingly struggle to communicate the threats to the boardroom.
"Organisations chronically underspend on information security. Current spending [on security] averages 1 to 2 per cent of overall IT budgets," he said.
Warrilow also cited other Meta Group research which revealed 20 per cent of organisations "don't know or can't tell" if a security breach has occurred.
McEniery said legislative changes mean that under common law a director can be liable for inadequate governance of security. He referred to Attorney General Daryl Williams' statement in May that: "It is likely a court would apply the duty to exercise care and diligence in such a way as to require a director or other officer to take reasonable steps to ensure that a corporation operating in an online environment has reasonable e-security policies and practices."
To avoid being found liable for security breaches and for a holistic approach to security, Warrilow and McEniery outlined six areas that organisations need to focus on:
* Board buy-in -- information security has to be a board level issue,* Adequate resources -- the effectiveness of your investment in information security needs to be measured.
* Governance -- policies covering areas such as IT usage, wireless and laptop security and change management need to be created and upheld.
* Awareness -- employee awareness cited by most customers as a barrier to achieving effective security.
* Managed risk transfer - organisations need to take heed of contracts with outsourcers, co-location disaster recovery sites and review the adequacy of insurance to cover all the bases.
* Loss minimisation - the capture and preservation of evidence needs to be part of an overall security policy.
A report by the National Association of State Chief Information Officers offers 10 recommendations to improve IT security as it relates to homeland security efforts. Among other things, the report calls for a new IT governance structure, an enterprise-IT security architecture, and the establishment of a shared and common IT infrastructure.
Written by Don Heiman, former chief IT officer for one of the states in the US, the document details current security threats such as viruses and Web server attacks and denial-of-service attacks and is available at www.nascio.org/2001/11/ securityforum011113-14.cfm.