The rising cyber-security risk, combined with the recent Sarbanes-Oxley law requiring companies to deliver greater information security and integrity, are forcing companies to retool operations-but its hard for companies to make the necessary trade-offs between competing, conflicting demands for greater security, lower costs and faster operations. Mark Doll, digital security services director for the Americas at Ernst & Young, talks to CIO Insight Executive Editors Marcia Stepanek and Ed Baker about the trade-offs companies will need to make when trying to figure out the best new ways to re-engineer for security.
CIO Insight: Whats the biggest security issue facing corporate strategists?
Doll: I actually dont think the largest challenge of security are technical issues. I think people have historically spent about 80 percent on technology, about 10 percent on people, and 10 percent on process. I think it should be the reverse. I think it should be more like 40/40/20. In fact, if you just took all the uninstalled security software and just tried to install it, youd have a lot better security than you have today because a lot of the functionality goes unused because youre trying to get an application to run quickly. Speed is one of the first things to go, or you take on more business risk-or you have a tendency not to have the time and investment on the process and training issue, and so these security tools dont get used for those reasons, either.
How much more important has it become for companies to make these trade-offs?
People want to talk about it now. Board level people want to talk about it, the CIOs want to talk about it, CEOs want to talk about it, directors of internal audit want to talk about it more and understand where their position is-and all much more than ever before.
I think a lot has to do with the new federal regulations; a lot of it has to do with homeland security. I think recent, large virus and cyber-worms events has kind of made it a bigger issue as well.
How much of this new awareness is due to CEOs reading scary articles in The New York Times? Isnt corporate security really just a matter of how many locks you want to put on your door and how inconvenient it is to have to turn all those locks every time you want to go in and out and how expensive it is to install those locks?