Execs Must Back Security Compliance

Executives need to be proactive to bring their organizations into compliance.

What do eating Big Macs, smoking tobacco products and driving while drunk have in common? They can kill you. But that doesnt stop millions of people from engaging in these activities anyway.

Despite warnings, people simply dont listen.

When it comes to information security, corporate executives are the same. Many CEOs, for example, are not the least bit risk-averse. They dont listen to negative comments about their business strategies, and they wont listen to serious concerns about network vulnerabilities. This is especially true when its described in such mundane terms as internal thievery, negligent governance or mediocre firewall design.

There are plenty of other security vulnerabilities that are commonly ignored. These include: TCP/IP that has not yet been upgraded to IP Version 6, most wireless networks and overseas outsourced programmers.

While earnest warnings too often fall on deaf ears, the looming requirement to comply with new regulations may have far greater success. Be it HIPAA, Gramm-Leach, the California law SB 1386, Sarbanes-Oxley, Basel II or scores of other regulations pending—regulation is placing information security on center stage. While holes on Kerberos, SSH and Windows XP never got a CxOs attention, there is something about handcuffs and jail time that is attracting their notice. Just as Martha Stewart is now a poster girl for insider information, it will only be a matter of time before we find out who will be the poster boy for poor information security regulatory compliance.

From a computer security perspective, Section 404 of SarbOx centers around the internal security controls of an organization and how effective they are. If these controls adversely affect financial reporting, the person signing the financial attestation statement may find themselves in a federal penitentiary.

California SB 1386 was created to protect consumer information from inappropriate disclosure. In the event of a computer security breach in which confidential information of any California resident may have been compromised, SB 1386 requires notification of that event. Those who fail to disclose that a security breach has occurred could be liable for civil damages or face class action lawsuits.

/zimages/5/28571.gifFor insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

Executives must be proactive to bring their organizations into compliance. The regulations are not rocket science; they simply require attentiveness and perseverance to attain fulfillment. Executives must also be prepared to get out their checkbooks, as compliance is not cheap. But compliance is much cheaper than the long-term penalties, negative publicity and potential jail time. Just ask Martha Stewart.

Ben Rothke is a New York-based security consultant with ThruPoint Inc. McGraw-Hill has just published his book "Computer Security: 20 Things Every Employee Should Know." He can be reached at brothke@thrupoint.net.

Free Spectrum is a forum for the IT community and welcomes submissions at free_spectrum@ziffdavis.com.

/zimages/5/28571.gifCheck out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: http://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif