In a perfect world, a bit of common sense and a dash of due diligence would protect us from hackers, saboteurs and the common cold. Well, the world isn’t perfect, and we know we can never be completely secure. There is a measure of safety to be gained by following a formula of threat education, security breach prevention and risk mitigation. n "There’s no single answer," says Bruce Schneier, CTO of security consultancy Counterpane Internet Security in San Jose, Calif., and the author of Secrets & Lies: Digital Security in a Networked World (Wiley, John & Sons, 2000). "I can’t say, ’Do these seven steps and you’ll be magically secure.’" Although every organization’s security infrastructure must be unique to be effective, Schneier and other experts point to the following essential ingredients. Pay close attention to these basic security issues.

1 Establish Accountability

Companies have traditionally relegated security to IS, viewing it merely as an administrative function and expense. However, security can no longer be a closeted IT function, says Michael Assante, cofounder and chief intelligence officer of LogiKeep, a security consultancy based in Dublin, Ohio. "It’s got to be a boardroom issue and not a backroom issue. It needs to become part of a business decision-making process, looking at system survival and business continuation issues. Accountability should fall on the shoulders of the business decision makers."

As the liaisons between operations and management personnel, CIOs are uniquely positioned to champion IT security issues in their organizations, according to John S. Tritak, director of the Critical Infrastructure Assurance Office with the U.S. government. CIOs and other senior IT executives need to cultivate and maintain close relationships with senior operations, telecommunications, physical security, human resources and other executives in their organizations to develop and implement a comprehensive IT security plan.

CIOs must have the authority and the autonomy to immediately address security issues or react to breaches quickly, says the executive vice president of IT at a Fortune 500 financial services corporation. "You can’t create a ton of bureaucracy that makes it impossible for you to act or quickly react," he says. "It’s called accountability."

Some companies are hiring vice presidents of security and chief information security officers (see "Someone to Watch Over You," Page 82) to put policy, processes and methodology in place. Some are hiring chief privacy officers (see "Oh No, Not Another O!" CIO, Jan. 15, 2001) to oversee privacy issues. However, these positions must be more than window dressing, security experts say.