IT security policies too fragmented

UK organisations are wide open to network breaches because responsibility for security is still too fragmented.

IT services company Synstar said that the role of chief security officer (CSO) is key to ensuring that the subject is taken seriously, and that policies are put into practice rather than stuck on the shelf and ignored.

Jason Hart, head of security at Synstar, told vnunet.com: "It's always the IT department pushing security to the business, but it's a bigger issue than just IT security.

"It's a business issue. A lot of boards don't understand why someone would want to hack into their systems. They don't realise the potential effect on their share price or reputation, for example.

The CSO role demands an understanding of technical, business integrity and availability issues, as well as the financial and operational impact of a security breach.

"You need someone who's been exposed to all areas of the business, can take the message to the board and be an interface to all parts of the business," said Hart.

He added that companies also need to view internal security threats in the same light as external ones.

Research from the Department of Trade and Industry published in April found that 60 per cent of security breaches are internal.

And, while interest in the BS7799 framework for implementing security policy is gaining momentum, Hart warned that it isn't enough to safeguard a business.

"It's a fantastic starting point, but it's only a framework and you need to add a lot more to it. Unless it's managed, it won't solve your problems. People tend to put it on the shelf until it's time for their next audit."

Fear of security breaches and growing regulatory requirements are driving growth in the proportion of IT spend dedicated to security, according to analysts.

"Companies are spending a lot on IT security but it won't solve your problems unless you have policies and procedures in place, that are managed, maintained and continuously renewed," Hart said.