CIO — When it comes to digital information security, CIOs seem to heed the advice of the World War II propaganda posters that read, "Loose Lips Sink Ships." Although security is on every CIO’s mind these days, it’s certainly not on their lips.
We contacted more than two dozen CIOs to speak with them about security. While many declined our requests for an interview, several spoke with us only on the condition of anonymity. As the CIO of a financial services company explained, "Neither I nor any of my peers would want to go on record as saying we’re concerned about it and know we have flaws," he says. "Nor would we want to say we’re not concerned about security, that we have everything in place and we are bulletproof. Either way, it would immediately set us up as a target and a challenge for hackers or attacks." n Security is the one critical IT issue corporate America isn’t talking about for fear that anything that is said could be construed as an invitation to attack. Experts say this conspiracy of silence only aids those responsible for digital security breaches. n What’s the best course of action?
Acknowledge the problem, pay attention to security threats (both known and unknown), and if your company experiences a security breach, don’t treat it like a dirty little secret. Talking about it internally and sharing information externally with other IT executives and law enforcement authorities will help everyone better understand security threats and improve prevention efforts.
The fear of attack is real and valid. Every day there are new reports of security breaches. The list of companies that publicly suffered attacks last year is a literal A to Z of networked America?Amazon.com, America Online, AT&T, BellSouth, Bloomberg, the CIA, De Beers, E-Trade Securities, the FBI, Lucent Technologies, Microsoft, Qualcomm, The Republican National Committee, Slashdot, Sony Corp. of America, the University of Washington Medical Center, Verizon, Western Union and Yahoo.
These are just some of the publicly acknowledged attacks, say computer security professionals. In a recent survey by the Computer Security Institute, 90 percent of information security managers have detected breaches at their organizations. Despite this alarm, upper management?fearing bad publicity, shareholder wrath and consumer mistrust?has erected a firewall of silence around the double-headed beast of security and privacy. "Nobody wants to admit they’ve had some level of intrusion or break-in, but I can’t imagine that there’s anybody out there who hasn’t had an unauthorized access or attempt," says the executive vice president of IT at a financial services corporation. Only a handful of the companies that have had breached security or compromised data ever report it to law enforcement officials, say the FBI and security consultants.
