Richard Clarke on Security Policy
Clarke, the former White House special adviser for cyberspace security, says neither the public nor the private sector have done enough to protect the nation’s telecom and information technology systems against terrorist attack. The critical factor for companies: articulating and sticking to a clear security policy.
Jonathan Zittrain on Trade-Offs
Harvard Law School professor Zittrain says the law of diminishing returns applies to corporate IT security. CIOs should present security to the business side as a business case: How much security are you willing to pay for?
Marc Rotenberg on Privacy
Rotenberg, executive director of the Electronic Privacy Information Center, warns that we are building an architecture of electronic surveillance that may be hard to dismantle after the policies put into place following Sept. 11 expire in two years.
Bruce Schneier on Backlash
Security consultant, cryptographer and author Schneier says that every day we face invasive, pointless and simply annoying procedures supposedly designed to protect our security. Do we have any recourse?
Trends: Re-engineering Redux
By Marcia Stepanek
In the 1980s, companies re-engineered for globalization. A decade later, they retooled to incorporate the Internet into sales and operations. Now companies are beginning to restructure themselves again, this time to bolster security amid rising new threats from cyberspace and new demands from Washington for information security. Executive Editor Marcia Stepanek with reporter Debra D’Agostino and freelance writer Erik Sherman take a look at the state of corporate security two years after the World Trade Center attacks, size up the research and talk to dozens of experts, CIOs, CSOs and business leaders to see what it takes to win the war against cyber-crime. Can we keep up the fight amid budgetary pressures, lack of cohesive security strategies, an explosion of software security holes and the rapidly rising sophistication of would-be attackers? Some companies, like Motorola and Bank of America, say yes—but even they’re having a tough time of it. Also featured is a sidebar on the sometimes rocky relationship between the new corps of CSOs and the CIOs they work with, and a discussion about the difficult trade-offs that some companies face when seeking to boost their overall security.
Whiteboard: How to Improve Your IT Security Policy
By Gary Lynch and Karen Avery
Most CIOs have security policies, but few can claim they work. Ignorance, resistance, inconsistent execution and poor enforcement are leaving companies vulnerable. How can CIOs make their policies more effective, and win the active support of management and staff? Gary Lynch and Karen Avery of Booz Allen Hamilton show how to use the Six Sigma method, pioneered by the quality movement, to overcome these problems. This whiteboard also can help CIOs identify whether their new policies are having an impact.
Research: Managing Security
By the editors of CIO Insight
More than 90 percent of the 606 IT executives surveyed for this month’s CIO Insight survey claimed their domestic security measures are adequate, yet more than 40 percent of these same executives expect their spending on IT security to rise. Meanwhile, the percentage of companies with information security and business continuity plans has not increased significantly since a year ago—it’s still hovering at about 80 percent and 75 percent, respectively, and IT executives still complain about the difficulty of educating employees about security and enforcing security policy. Clearly, the results are mixed. But now more companies are taking a rational, risk-management approach to security.
Strategic Technology: Complying with Sarbanes-Oxley
By Gary A. Bolles
In the 12 months since the passage of the Sarbanes-Oxley Act in July 2002, corporations both public and private have been put through a wrenching exercise in self-examination, and it’s not over yet, says Contributing Editor Gary A. Bolles. However, the role of information technology in improving the accuracy and guaranteeing the results of financial reports remains hazy. Companies must put more time into defining and refining how their business processes feed into their financial reports before they throw more technology at the problem. CIOs must first make sure they understand the reporting process clearly enough to be able to attest to the accuracy of their systems.