Security: Good Intentions are not enough

Posted on June 24th, 2010 at 12:06 pm by Floris Van den Dool   |  Link   |  Comments (0)
Theme: High Performance IT, Latest Post  |  Tags: , ,

Image adapted from Jon McGovern on Flickr.com (http://www.flickr.com/photos/jonmcgovern/2673202881/)

Recently, I had the pleasure to be involved in a large survey regarding the treatment of privacy and data protection by international organizations. The opinion of a lot of consumers around the world was also taken into account in the survey, which resulted in an interesting mix of views and opinions. One of the most surprising outcomes of the survey to me was that particularly the well organized countries like the Netherlands, Belgium but also the US had a relatively high score with regards to having lost privacy sensitive data.

On average about 58% of organizations around the world admitted to having lost customer data. But in countries like Belgium, the Netherlands and the US the percentage was above 70 which is surprisingly high if you take into account that many of these organizations say that privacy is important to them and that they feel that they have a good security regime to safeguard the protection of their critical data. About 80% of companies in these countries say that they feel that they have adequate security measures. So apparently there is a mismatch between intent and actions. Clearly, good intentions are not enough!

Analyzing this a bit further, the mismatch seems to be between the good intentions of the people that make security policies and have responded to our survey and the people that actually undertake the actions given the fact that incidents have occurred even in organizations where they have stated very good intentions. This underlines once more that having a security policy, setting out the good security intentions is not enough. The security policy, needs to be translated into a security culture which actually ripples down from the top of the organization to the people at the ground level who actually deal with information on a day to day basis. Making sure that these good intentions actually are transformed into actions that protect sensitive data.

Another interesting (or should I say “shocking”?) fact coming out of this survey was that quite a high percentage of the people that reported to having lost data had lost it on multiple occasions, so not just once but several times. This is an indication that organizations do not learn from these mistakes or find it hard to actually take the lessons on board after an incident or occurrence of data loss. And again that probably has to do with the fact that the policy makers are aware of the incidents but they find it hard to translate that incident into tangible actions that can be executed on the floor and will become part of the corporate culture.

So the real challenge for security professionals is not having a good security policy but it is actually transforming that security policy in a culture of caring. Caring about information protection.

  • Link
  • |
  • Comments (0)
  • |
  • |
  • |
  • |
1 vote, average: 4.00 out of 51 vote, average: 4.00 out of 51 vote, average: 4.00 out of 51 vote, average: 4.00 out of 51 vote, average: 4.00 out of 5
Loading ... Loading ...

  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • LinkedIn
  • Twitter
  • Digg
  • Diigo
  • Reddit
  • Sphinn
  • StumbleUpon
  • Technorati

Leave a Reply