In the time I've been writing on information security, I've noticed a disconnect between IT, the security department (if it is separate from IT), and administration. Security-related training is inadequate. Recently, I spoke with several business executives about IT funding and asked how spending for security fit into their budget; only one said spending on security was a priority. More disturbing was the executive who told me that he would worry about security when there was a problem.
It appears I'm not the only one who has noticed this disconnect. Carnegie Mellon University released a report that stated most executives aren't involved with security on enterprise computer systems. According to an article in the Pittsburgh Tribune-Review:
The report found that a majority of companies don't have full-time privacy, security and risk executives responsible for those issues. Respondents indicated that corporate boards reviewing privacy and security issues weren't focusing on activities that would help protect the organization from high-risk situations, such as reputational or financial losses due to breaches of personal identity information or theft of confidential or proprietary information.
However, at a Bloomberg Link Boards & Risk Conference held in Washington, DC, earlier this week, security experts warned business executives that the time has come to put a lot more focus on security. Cyberattacks are happening with more frequency and every business is at risk, according to an article at Bloomberg BusinessWeek. Rachael King wrote:
Security experts such as Patrick Morley, CEO of enterprise security firm Bit9 say that attacks are on the rise. He predicts that security will move toward so-called white listing, the practice of defining the software that IT departments will let run on computers and mobile devices.