Security Blog

Your source for information security news and views.

The chaos resulting from the economic disaster in our financial system and the ensuing rush to spend money to stimulate economic growth has left information assurance and IT security side-lined. 

Most organizations are trying to understand the new business conditions before they allocate budgets for IT. At the same time, an increased focus on risk management, is tying up critical management resources. Much of the current work will prove to be tedious bureaucratic processes with little true economic impact. There is simply too much focus on "grand unifying methodologies".

In the midst of these conflicting initiatives, there are several clear key critical points on which new strategies must be built. 

First, the economic collapse was rooted in information assurance. The failure to have transparency in derivative contracts was an information integrity failure. Alan Greenspan and both political parties along with our major regulatories all put phenomenal faith in counter-party surveillance. The idea was that the financial system could not load up with lousy or fraudulent transactions because there is always a counter party to every sale. Somebody is putting money at risk, and they're the most obvious party to regulate the risks they accept. The buyer and seller had strong vested interests in making sure that their contracts were secured. What lender would want to expose their money to investments that were likely to fail? 

However, they did make these investments and they did lose billions of dollars. The failures were systemic. That is, the overall processes and governance failed us. Systemic failures always require systemic solutions, and it is inevitable that a new array of government regulations and oversight will be applied to the financial industry. To this, we can add the auto industry with billions of unfunded pension liabilities and the accountants who missed all of this. So, our first guiding principle is that every organization should be preparing itself for a vast new array of regulations that will have profound impact on the enterprise. This means substantially more information processing for everything from car loans and mortgages to operational accounting and reporting. 

Mark-to-market as an accounting principle suggests that financial assets be adjusted to reflect their current market value. This can only be done through a massive amount of readily available economic information. What we should think about is Sarbanes-Oxley on steroids. We should also realize that with all this new regulation there will be more vital and strategic information to be protected, so we might think of it as Sarbanes-Oxley² plus a healthy dose of PCI and HIPAA, more data with more data loss protection. 

The winners will be companies that design, develop and deploy appropriate information processing systems with adequate security and risk analysis so that they can be both more secure and more compliant. That's a big upside opportunity for information security.
It's funny that over the last year in our surveys of executives from our flagship seminar series, Strategy to Reality, regulatory compliance was consistently listed as one of the serious risks confronting an enterprise. While compliance is meant to provide assurance that we are mitigating risks, it has become a threat in itself. Healthy organizations must begin now to harmonize their compliance processes with actual threat mitigation. This is the second principle we'll talk about in another posting. 

Third, an economic stimulus for the enterprise will likely include investment incentives. The Obama administration has already outlined that improved information technology in healthcare will be one of the targeted infrastructures. We're seeing a more generalized theme emerging where the stimulus package for infrastructure is not our old conservation corps building parks and planting trees but, more likely, a modern cyber structure providing greater information technology resources to schools, hospitals and governments. While there certainly is far more we'll be discussing in these areas, the key point is that the last thing a troubled economy needs is more risk and uncertainty. Winners and losers are always pronounced during periods of economic volatility, and we can be certain that this period will be no exception. 

We believe information assurance and IT security will be vital industries in the new economic order!

Tell us what you think.