CIO — Last year, David Saul, executive vice president and CIO of commercial insurer Zurich North America, pulled a dozen IT staffers away from their daily tasks to combat a virus that was attacking the company’s firewalls. They did a good job limiting the damage, but it took two days?two days in which other work did not get done. Next time, Saul hopes to be ready to respond before a threat surfaces. "We want to be in a safety zone that doesn’t require that kind of immediate mobilization," he says.
That’s why Saul increased his full-time information-security staff from 12 to 18 people, mostly by training, reorganizing and reassigning IT people to security. "Good security equals prevention, detection and reaction," says Saul, who is based in Schaumburg, Ill. "If you’re not going to staff to make the process work, then your exposure to security breaches is higher."
That exposure is an increasingly widespread problem. In a 2001 survey of security practitioners conducted by the Computer Security Institute and the FBI, 85 percent of respondents (primarily from large corporations and government agencies) had detected computer security breaches in the previous year, and 64 percent of those respondents acknowledged suffering financial losses.
In fact, there’s no limit to the damage evildoers can inflict. Sept. 11 proved that. In this environment, many people believe that it’s sheer madness to have an IT staff handling information security on an ad hoc basis. "It’s a hard-and-fast rule, in my opinion," says John Hartmann, vice president of security and corporate services of Cardinal Health, a $47 billion health-services provider in Dublin, Ohio. "If the two roles are shared, business priorities will drive security to a lower priority."
Tim Mitchell, CIO of Sarnoff, an electronic, biomedical and information technologies company in Princeton, N.J., disputes that, saying that his IT staff handles security very well, thank you. But he does agree that people charged with security responsibility must be organized into a team?as his are?carrying out a coherent security program that sets out specific responsibilities and requires regular meetings.
A security team needs to set policies and procedures, assess vulnerability, detect intrusion, respond to incidents and manage security architecture. And perhaps most important of all, it needs a leader.
Finding skilled security professionals to carry out this mission can be tough, and the alternative?training in-house IT staffers who are security novices?can be costly and time-consuming. (Outsourcing security is another option. To read a cautionary tale about the pitfalls of outsourcing security, check out "Exposed," at www.cio.com/printlinks.) But whichever route you choose, here are some ways to enhance your chances of success.
