Clueless executives put firms at security risk

A recent McAfee report states that  only 22 percent of data center managers felt senior management is aware of their respective organization’s security measures and risk preparedness.

The key findings of the 2011 Data Center Security Survey, conducted by Gabriel Consulting Group (GCG) on behalf of McAfee, essentially says “management is ripe to be blindsided by a security breach” according to Dan Olds, Principal Analyst at GCG.

What compounds the problem is that many companies, according to the survey, use as many as seven vendors for their security in the data center. With so many cooks running around in the kitchen, visibility, cause and effect, and full security audits are often difficult.

There is a false sense of assurance with so many vendors and products when in reality more complexity introduces the opportunity for risk. Sounds like an argument for a more holistic approach to security process and preparedness assessment.

And in fact the report author foresees the same need: “customers will be looking for security solutions that solve multiple problems, are easily integrated, and reduce IT management and maintenance labor. To me, this argues against customers having a slate of different point products, all of which have to be configured to work together, all of which have different tools and consoles, all of which have varying levels of customer support. In this environment, customers will be more likely to look for multi-function solutions that provide great protection, but also reduce complexity and management.” Dan Gold, GCG

Other interesting findings in the report include:

  • 40% of the data centers surveyed said that their day-to-day operations don’t conform to the security standards required by their policies
  • 60% said that management believes their data center is more secure than it really is
  • Respondents said that their management saw security as an expense item that doesn’t provide a financial return. As one respondent put it, “Security is only an issue to management when there is a problem – otherwise, it’s still a ‘why are we spending all this money’ question in budget meetings.”
  • Cost of security breaches. The biggest cost to the business side was additional money they had to spend for compliance and legal costs. On the IT side of the ledger, the biggest cost to the data center was lost productivity – with many breaches taking four weeks or more to remediate and almost half of the breaches using 50% or more of their IT resources (labor and time)

The results of the McAfee study reminds us of the similar conclusions reached by PwC in its annual Global Information Security Survey. In that report the bliss of ignorance was on mighty display. The report stated 43 percent of those surveyed believed their organizations qualified as “leaders” in how their security was implemented. When in fact less than 5 percent of the organizations actually qualified as “leaders.”