Executives Not Leading the Security Table


What are the most pressing things facing IT over the next 12 to 18 months? According to a study from ISACA, an organization based around technology management certifications for IT governance and security, regulatory compliance topped its list. Closely behind compliance, was general IT management and IT governance, as well as security management.

It's not that surprising that compliance, governance and security topped the list given that the study gathered its findings from 3,173 members of ISACA (who has a much larger base of 86,000 members). A hefty chunk of those surveyed (41.3 percent) have primary job responsibilities in audit and assurance, while IT management (32.7 percent) and security management (26 percent) made up the rest. But this doesn't mean there aren't a few kernels of useful information in here simply because you asked a group to hold a mirror up to itself.

Senior managers, listen up: The most interesting finding from this research is on security and your apparent disinterest in it.

Your team members don't think you are involved enough in security management. Seventy-nine percent of those polled say that there is a "lack of top management involvement in setting the direction and objectives for information security" (30 percent "somewhat important" combined with 49 percent "very important").

I know we and every other technology site out there regularly point out how much security is ignored and we continuously bring up the well-publicized and embarrassing public debacles that happened at TJX, Choicepoint and others. They are good media stories, but they are harmful to IT careers.

As former Baseline editor in chief Larry Walsh pointed out back in December, reputational losses for these companies don't mean squat because consumers generally want to keep consuming (when they have the dough). It's the IT people and their jobs I worry about. At least with TJX this week, the criminals got their justice, but what about the senior IT people who had to explain why they should keep their jobs after being had like that?

Much like the career of Brett Favre, I think that some security risks are overhyped (this should get me in trouble with some football fans... Go Jets?) because most companies with your skilled IT management guidance are on top of it. But when you see this study from the actual people who manage security, compliance and risk say that their management isn't involved enough in security, you take notice.

We know from our analysis of Web traffic and the insane abundance of security products and vendors that security is a big business, and so it needs its beat writers, bloggers, consultants, certifications. Security is an incredibly complex issue, and gets more complex the larger company you are and the more customers you have to make your business thrive. But the actual management of security within businesses seems like it might be more disconnected than all the technology and new schemes being invented every few months by well-organized hacking organizations.

Is it that senior managers have too many financial issues to deal with and have to always be driving costs down? Are there not enough chief security officers? Are CIOs overburdened with ROI and consistently treat security as a maintenance issue and not central to the health of a business?

Here are the kinds of issues CIOs are not involved in (from CIO Insight's research on CIO roles).

Despite my initial skepticism about the overall goals of the research (and let's be clear: they want you to have their flavor of certifications), what can be garnered from it is a sizable sampling of the IT landscape and where they think budget money should be spent for 2009. Also, it's a way for the group to say "these issues I deal with regularly are the important ones." This research did not ask explicitly what things are being funded, but rather captures the perceptions of what will have an impact on the job (and perhaps the things listed in the study won't be funded or actually managed at all).

Tell me what you think, please.