Why IT departments shouldn't be responsible for cyber security

A guest blog post from Malcolm Marshall, partner in KPMG’s Information Protection and Business Resilience practice.
Malcolm Marshall.jpg

/* Style Definitions */

table.MsoNormalTable

{mso-style-name:”Table Normal”;

mso-tstyle-rowband-size:0;

mso-tstyle-colband-size:0;

mso-style-noshow:yes;

mso-style-priority:99;

mso-style-parent:””;

mso-padding-alt:0in 5.4pt 0in 5.4pt;

mso-para-margin:0in;

mso-para-margin-bottom:.0001pt;

mso-pagination:widow-orphan;

font-size:10.0pt;

font-family:”Times New Roman”,”serif”;}

Normal

0

false

false

false

EN-US

X-NONE

X-NONE

/* Style Definitions */

table.MsoNormalTable

{mso-style-name:”Table Normal”;

mso-tstyle-rowband-size:0;

mso-tstyle-colband-size:0;

mso-style-noshow:yes;

mso-style-priority:99;

mso-style-parent:””;

mso-padding-alt:0in 5.4pt 0in 5.4pt;

mso-para-margin:0in;

mso-para-margin-bottom:.0001pt;

mso-pagination:widow-orphan;

font-size:10.0pt;

font-family:”Times New Roman”,”serif”;}

We expect cyber attacks to continue to grow in scale and sophistication.

The UK’s digital economy accounts for over 8 percent of our GDP – a figure

which reflects the necessity for organisations, and their boards, to treat

cyber security as a priority.

The internet brings massive potential for

business, but of course where there is business – crime will follow.

The motives aren’t just theft, but include on-line espionage of

intellectual property and denial of service attacks against companies.

The

Government recognises this and only two months ago the Department of Business,

Innovation & Skills (BIS) wrote to the chairmen of all FTSE 350 companies

inviting them to undertake a cyber governance health check.

What’s increasingly

clear is that cyber-security should be a board level responsibility and

concern. It may be tempting to delegate cyber security strategy to IT, but to do so is

to delegate responsibility for the business’s whole security, as well as that

of every customer and supplier.

KPMG’s Data Loss Barometer records almost a 50% increase in

hacking incidents recorded by organisations between 2010 and 2012.  Our research shows that every single company in the FTSE 350 exposed data on the internet which could be business sensitive.

New technologies such as mobile devices, cloud computing, big data and

social media bring real opportunities, but they also bring new risks and

potential attack techniques.

Companies need to strike a balance between technology

opportunity and cyber threats. Good practice such as anti-virus systems and

firewalls are common place, but what’s required is a more nuanced

intelligence-led approach which helps an organisation to tailor its security

posture to the changing threat, as well as making sure the organisation is well

placed to handle the consequences of a cyber incident.

This approach can only

be instituted at a board-level.

Many of our largest clients demonstrate a sophisticated approach to cyber

security, with the financial sector in particular working to counter global

e-crime and the defence sector working to counter sophisticated espionage.

But

there is more that needs to be done to counter the threat, and that threat also

impacts many other sectors where cyber security has yet to become a board

issue.

Small and medium sized firms can also find countering sophisticated

threats a major challenge, but they form a vital part of the supply chain and

cannot be allowed to become a weak link in our defences.

Normal

0

false

false

false

EN-US

X-NONE

X-NONE

/* Style Definitions */

table.MsoNormalTable

{mso-style-name:”Table Normal”;

mso-tstyle-rowband-size:0;

mso-tstyle-colband-size:0;

mso-style-noshow:yes;

mso-style-priority:99;

mso-style-parent:””;

mso-padding-alt:0in 5.4pt 0in 5.4pt;

mso-para-margin:0in;

mso-para-margin-bottom:.0001pt;

mso-pagination:widow-orphan;

font-size:10.0pt;

font-family:”Times New Roman”,”serif”;}

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

So, what's the recommendation here? How does a non-IT board appropriately engage with the resources and people needed to enact a cyber security strategy? Or is this just the first step in bringing to light an issue and asking for attention to solve it? -jj
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

  • How do I size a UPS unit?

    Your data center UPS sizing needs are dependent on a variety of factors. Develop configurations and determine the estimated UPS ...

  • How to enhance FTP server security

    If you still use FTP servers in your organization, use IP address whitelists, login restrictions and data encryption -- and just ...

  • 3 ways to approach cloud bursting

    With different cloud bursting techniques and tools from Amazon, Zerto, VMware and Oracle, admins can bolster cloud connections ...

SearchDataManagement

Close