Is IT security pushed to the back burner?

by | Feb/10/2010

Due to a number of problems in organizations, IT security too often gets pushed to the back burner. After a breach happens, IT often blames management, and management often blames IT. A wise friend told me many times, “It is not about fixing the blame; it is about fixing the problem.”

The problem with data breaches is that sometimes, after the breach, it is too late to save the company. Remember the company Fly Clear? I have earned, and spent, more than 6 Million Miles in my frequent flyer account at a major airline. Fly Clear allowed me to bypass the lines at airport security and added a huge amount of quality time back to my family. Then, Fly Clear lost a laptop at a Northern California airport, and I got a letter about the possible breach. In the letter, the CEO said he didn’t know why they were not encrypting all the hard drives at the company to protect client data, but they would from then on. Yeah, from then on until his company closed its doors. Who wanted to give all their private security information to a company that loses it? Fly Clear did close their doors—less than a year later. This closing, and others like it, is so sad because it was likely preventable.

The Fly Clear CEO seemed angry at his IT department for not telling him ahead of time about the importance of full disk encryption—a common feeling among executives who are angry at IT after a breach. Full disk encryption is just one of the many strategies companies can use to protect themselves.

It amazes me how few CEO’s and other executives have ever learned about full disk encryption—and sometimes their IT professionals have not heard of it either. I find that understandable since IT has so many specializations and, just like cardiologists do not necessarily know all about neurology, a company may not have an IT security professional on staff to make security recommendations. Come to think of it, my consulting business revolves around being that outsourced IT security specialist for companies.

For 2010, I encourage you to have some conversations with IT professionals, qualified in IT security, about the status of your IT security and what you can do to increase it.