Latest IDC Report underscores the need for Policy Communication

By Anna Kelpie

November 6, 2006

You might think that Information Security is the responsibility of everyone in the organisation and that most employees apply commonsense when using their corporate desktops.  Not according to the recent third annual Global Information Security Workforce Study, sponsored by security certification organisation (ISC)2 and carried out by IDC.  According to the report, organisations have ignored the role of human behaviour and have instead placed their trust in hardware and software to solve security problems.

The “elephant standing in the room” for most organisations, is that everyone knows the vast majority of Information Security failures arises from the foolishness of their own employees. This new report highlights the fact that a successful Information Security approach is as much about people and processes as IT products like intrusion detection and firewalls.

There is also the problem that most organisations have minimum communication mechanisms for policies in place.  These take the form of emails or intranet for company handbook and policy deployment.  In some cases companies still chase their staff for signed policies, thus wasting untold time and money.  Any realistic assessment of these methods will confirm their weakness in the face of legal or regulatory scrutiny.

The IDC report ranked the factors affecting Information Security professional’s ability to properly protect and secure the computing infrastructure and its resources from breaches, misuse and abuse.  The two most important factors were:

1. Management support of Security Policies
2. Users following Security Policy

There was unanimous acknowledgement from professionals in the report that “technology is only an enabler, not the solution, to executing a sound security strategy and supporting well-defined and well-articulated risk management program where everyone shares responsibility”.

More News