A Computer Weekly/NCC survey of IT security professionals reveals that the biggest issues they face are not technology-related but rather are concerned with the fact that IT has been unable to secure the buy-in of senior management to properly address IT security.
Meanwhile, a separate survey by Deloitte & Touche finds that only one in four IT directors believes that measuring and demonstrating the value of IT has a significant impact on their own success. In addition, less than one in 10 perceives themselves to be leading the development of business strategy.
A common thread running through the Computer Weekly/NCC survey is that although for many years suppliers have conditioned IT directors to respond to the word "solution" by reaching for their cheque book, the best way to improve security does not involve spending more of the budget.
Instead, it requires gathering support for the issue from the top down, with the aim of ensuring that the principles of security are understood and acted on throughout the organisation.
It also requires changing the business culture to make security a priority, for example, by conducting random audits of adherence to internal security policies and by disciplining staff who flout them. To achieve this culture change, the IT director must be able to persuade the board of the importance of the issue and the need to take action.
Which brings us back rather neatly to our second survey. How can IT directors expect to have the influence required to persuade boards to implement policies if they do not believe themselves to be strategy leaders?
They need to ensure they are perceived as dealing with not simply the operational and tactical challenges but also demonstrate the strategic contribution they make.
Perhaps the security issue represents an opportunity. By outlining the problem and eschewing a cultural rather than technological change, IT directors can engage the board in a strategic discussion about technology that promises a positive return.