Looking back over 2007, it strikes me that it’s been a significant year for raised security awareness. There can’t be a single executive director who has not been shaken by the media headlines and the surprising political and financial impact generated by the security lapses at TJ Maxx and HMRC. Such incidents could happen to anyone at anytime, because we simply don’t have the assurances in place to guarantee that personal customer data is fully protected throughout our business processes.
How should Management Boards respond to this problem? The natural reaction is to call in the auditors. They’ll advise you to budget for an expensive, end-to-end review of all customer-facing processes. And they won’t be wrong. There is no easy fix. The situation justifies a major overhaul of responsibilities, procedures and controls. The obvious response is to first establish an effective risk management process, to provide the logic and the supporting evidence to justify a selective response, which is easier, cheaper and more manageable.
The problem is that it places far many minor security vulnerabilities on the back burner, which might bite back with a vengeance in the future. Deep rooted security weaknesses are like a cancer. They won’t go away and, unchecked, will eventually undermine their host. The real solution is to take decisive action to identify and eliminate the deep-rooted causes of security weaknesses. We need transformation, not quick fixes.