CHICAGO – Companies must think of security as a business process and not place too much responsibility on their chief security officers and consultants, the author of two best-selling CISSP books said at the Information Security Decisions conference Wednesday.
"There's too much reliance on consulting companies to do the work for you," said Shon Harris, CEO of Logical Security. "A better approach is to make everyone in your business a little more educated on security. [Logical Security's] goal is to help companies identify where they are at, what their goals are and then get them to help themselves. Companies must understand security in their own house."
Harris, contributing author of the book Hacker's Challenge, said many companies are setting themselves up for trouble in the future because they have:
- Defined policies but no security program;
- A security program with no real structure;
- A security program with only certain pieces structured;
- A structured security program with no support from the business units; and/or
- A structured security program that is hampered by cultural resistance.
"We expect one person to integrate security into the entire business plan," Harris said. "We don't have information for business-oriented people; no road map. We're asking them to do things they don't understand. We need to grow up now. Information security is no longer a black art. It's integrated into business now and isn't going away."
Harris said the first step is for businesses to figure out who must be responsible for what. "When you figure out who needs to know what, it's easier to work out a training program," she said. "It's good to identify departments that need to know specific security details, and then you can train them in that area. That's where consultants can help."
Another problem enterprises run into: thinking they're secure as long as they're in compliance with laws like HIPAA and Sarbanes-Oxley. "You can be compliant with the laws but not have a good, holistic security plan in place," she said.
Her message hit home for many in the audience, including Gonzalo Talamantes, technical services manager of information systems for Chicago-based Oil-Dri Corp.
"People certainly don't seem to get that security is a business process," he said. "I agree on the need for a cohesive plan with different people responsible for different pieces. In my company, I'd like to see people at every level have specific security responsibilities but also be able to see the big picture."
Harris' concerns are similar to those expressed by experts at the HealthSec conference held in Boston last week. While Harris focused on companies turning too much of the security planning over to consultants, an expert at HealthSec warned that IT departments are being saddled with too much of the security responsibility.
"You can't put it all in the hands of the IT department," said Lisa Gallagher, a security consultant affiliated with URAC, a Washington, D.C.-based nonprofit that promotes health care quality through accreditation and certification programs. "We found organizations that relegated it to IT spent far too much money on technology that dealt with some issues but overlooked other tools that would have been useful."