This article can also be found in the Premium Editorial Download "Information Security magazine: How to be successful with your security steering committee."
Download it now to read this article plus other related content.
The Red Cross has what Weischedel describes as "well-established audit functions" among various groups within the organization, each a check and balance on the other. Among other positions, the Red Cross has a chief of audit, a chief of investigations and an ombudsman-any or all of whom may touch issues related to information security.
Security is so deeply woven into the fabric of the organization that "there is a natural partnership and affinity between the things our CISO does and the other parts of the Red Cross," he says.
Organizations continue to put security on the back burner as they dive into virtualization.
The sluggish adoption of security controls in virtualized environments illustrates how security remains an afterthought in many organizations, says Scott Crawford, research director at Enterprise Management Associates.
In an EMA survey of more than 600 enterprises worldwide, only 17 percent of respondents use detective controls to monitor hypervisor security. Just 26 percent use controls to prevent potential or detected hypervisor threats.
"IT has a once-in-a-generation opportunity to integrate security into a new technology in its earliest stages of deployment, yet what this data suggests is that IT-and the business-is missing the opportunity," Crawford says.
In the absence of significant numbers of proven threats, businesses are still weighing the need to integrate security directly into virtualization initiatives, he says. "Unfortunately, this means that even with new and emerging technology, we may be back to business as usual for dealing with threats after the fact, despite the security lessons so painfully learned over the last decade."
The Red Cross and other large, established organizations have the breadth and the resources to rearrange responsibilities as business demands and the threat landscape shift. Unfortunately, plenty of other organizations continue to view information security as a technical afterthought. That bias is reflected in how infosecurity managers' duties are viewed by others within the organization.
In many cases, "we are still seeing IT focused on the primary objectives of the business-delivering services, maintaining network availability," says Scott Crawford, research director of the security and riskmanagement practice at Enterprise Management Associates, an IT consulting firm in Boulder, Colo.
Security's role in addressing "risk management is often an afterthought,which is discouraging," he says. Crawford, former CISO at the Vienna-based Comprehensive Nuclear Test Ban Treaty Organization, says that rocky relationships between line-ofbusiness personnel and security managers continue in many organizations.
This was first published in January 2009