By John Soat
Nov 5, 2007
Who else other than the CIO? So why aren't CIOs doing more about it?
Mark Twain is reported to have famously remarked: "Everybody talks about
the weather. But nobody does anything about it."
I was reminded of that quip when I read a news story posted by my
colleague K.C. Jones about the increased awareness of security problems
related to mobile computing devices and wireless networks, and the lack
of effort to do anything about it. The story was related to the release
of a survey sponsored by an industry organization called the Computer
Technology Industry Association (CompTIA). The organization claimed to
have interviewed 1,070 organizations about their security concerns.
Sixty percent of organizations surveyed recently said that security
issues related to handheld devices have increased over the last 12
months... Still, only 32% of organizations have implemented any
security awareness training for mobile and remote workers, according
to CompTIA. Only 10% plan to implement security training in the next
How could this be? Is it a question of resources, funding, executive
support? Or is it a game of pass the buck? "That's an HR issue, not
mine," huffs the hand-wringing, head-in-sand CIO.
Yet, the proof is there that security training can be effective,
according to CompTIA. Nearly 90 percent of organizations that have
implemented awareness training for remote and mobile workers believe
that the number of security breaches theyve encountered has been
reduced. said John Venator, president and CEO of CompTIA, in a
statement. Organizations that do not train their mobile workers in
security fundamentals are doing themselves a great disservice, he said.
Security training in general doesn't seem to be a particular priority
among CIOs. In the most recent InformationWeek Information Security
Survey 2007, only 19% of the 1,101 business technology executives
contacted in U.S. cite "Educate business groups" as a key tactical
security priority in the next 12 months. In answer to the question, "How
often does your organization train employees on information security
policies/procedures?" 47% of U.S. respondents answered "Ad hoc," and 5%
said "Never." If my math is correct, that adds up to more than half of
the U.S. survey respondents training their employees on computer
security policies and procedures, uh, mostly when they feel like it.
What will it take to make computer security -- in particular, security
related to mobile computing and wireless networks-- a priority? And for
CIOs to take responsibility for it -- and do something about it?
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com