Grudging compliance just isn’t enough

With hand on heart, tell me: does your organisation have a proper strategy for managing and improving security, or does it just lurch from one panic to another?

As one reader succinctly put it a while back: "Our company management has an attention span of two weeks after a security breach occurs. During that time, they are keen to approve any new expenditure on security. Unfortunately, the purchasing cycle for new systems and software is three weeks..."

If you have got beyond that purely reactive state, what has made the difference? Is it the fear of new corporate governance legislation (and a stretch in the slammer for the guy at the top) or a sincere belief in applying sensible measures to protect data?

Our main interview this month, with Jan Babiak of Ernst & Young, suggests that all the millions that have been spent on meeting legal compliance over the past couple of years has been money down the drain.

Much of the new legislation came in the wake of the Enron and Worldcom scandals in the US and was rushed into force with wide-ranging powers. With responsibility for accurate information going right to the top of the organisation, chief executives gave full rein to compliance programmes.

But it seems a huge opportunity was missed. Instead of seeing compliance as a means of improving processes, many companies grudgingly found ways of ticking all the boxes while making as few real changes as possible.

The result, according to E&Y's research, is that compliance might have been achieved, but security processes are still much the same. The chief executive is spared his porridge, but security is still patchy.

One reason for this is that in many firms the compliance function has operated separately from information security, with little or no communication between them. This means that information security is doomed to fail in meeting the company's business goals.

That impression was boosted by a discussion I chaired last month with IT people from some of the big law firms. They all gave a good account of themselves, but most admitted security was an uphill struggle, driven mainly by customers insisting on good security as a prerequisite for doing business.

That makes sense in a way – no point in doing more than you need or your customers expect – but it was hard not to get a whiff of complacency from a profession that had only recently emerged from the era of the quill pen.

With law firms handling extremely sensitive data – mergers and acquisitions, celebrity divorces, valuable patents and so on – I can't help thinking that some time soon we'll see a big security breach. Like many other industries, they need to act before that occurs. But they probably won't.

Ron Condon is editor-in-chief of SC Magazine