Sunday, December 03, 2006

Lean on Me

From the Sabanes-Oxley Compliance Journal comes this succinct and clear take on the drivers for IT security--- it's the compliance, stupid:

When strict regulations were first implemented, many IT professionals saw the legislation as an opportunity to demonstrate the important link between IT practices and standard business operations. However, the reality of the situation is that regulation is bogging down already overburdened IT resources. In today’s heightened cyber-threat environment where IT resources are already constrained, organizations face tremendous pressure to maintain compliance with the variety of complex regulations, and many IT departments are feeling the pinch.

A November 2005 survey by Ernst & Young stated that nearly two-thirds of its 1,300 respondents claimed that regulatory compliance is the primary driver of information security at their companies, ranking ahead of other critical missions such as protecting against security threats and meeting business objectives. It is not surprising that compliance ranked so important among the survey respondents. After all, even the most miniscule non-compliant decision can become the weak link to a data breach that threatens a company’s brand integrity and consumer confidence.

The data breaches that have dominated the headlines recently should make every IT manager take notice. According to Privacy Rights Clearinghouse, more than 210 publicized breaches have affected more than 55 million customers since February 2005. Those numbers are alarming, but the cost of notification is more so, with notification cost projections running from $10 to $35 per customer. Combining the hard costs of notification with the decline in shareholder and consumer confidence – where some studies show a five percent market cap decline in addition to a 10 to 12 percent decline in consumer confidence immediately following a breach – can produce devastating effects on an organization.

From one angle, it doesn't matter to me from where the driving force for IT security comes. That companies are paying attention and doing something about the potential company-destroying vulnerabilties that until recently were given only lip-service is a giant leap forward.

No comments: