To turn the tide on the skyrocketing lack of trust customers have toward the way enterprises protect their personal information, organizations need to instill security awareness throughout their enterprises. Security culture within an organization needs to flow from the top down: CEOs, boards of directors, and senior management need to make it clear that information security needs to be an integral part of their daily operations, and that IT security initiatives must be closely aligned with business objectives. Without senior management providing strong security governance, insiders abusing IT resources, system breaches, and careless handling of customer information will continue to proliferate at an alarming rate. Security policy can’t be static; information security policies and procedures need to be dynamic, living documents that are continuously refreshed as both technology, computing infrastructures, and business environments evolve.

In a successful information security program, all three pillars – people, process, and technology must be strong. Senior management lip-service to the importance of security, and the protection of the customer information they are entrusted to secure, no longer suffice. The continuous spate of data breaches clearly shows that simply investing in conventional defenses such as anti-virus programs, content filtering, firewalls, identity-management, and intrusion detection and prevention systems aren’t enough. Not enough attention is being placed on the other two pillars of security: people (security training and awareness), and process and procedure (security policy), and no amount of investment in security technologies will make up the difference in the equation.


According to Ernst & Young’s 2004 Global Information Security Survey, less than half their respondents provide regular IT security training to their employees. Only one-fifth of respondents believe their enterprises view IT security as a CEO-level priority. The 2004 Computer Security Institute/FBI Computer Crime and Security Survey, which queried nearly 500 organizations with arguably the most sophisticated IT security programs, revealed that, on average, all the respondents believed their organizations invested inadequately in security awareness programs. And these organizations invest heavily in many conventional security defenses: anti-virus programs (99 percent), firewalls (98 percent), server-based access control lists (71 percent), and IDS systems (68 percent). One of the most startling statistics from the survey is that even these companies fail to invest in encryption solutions, with only 64 percent encrypting data in transit, and 42 percent using encryption to protect stored files. This raises concerns about just how seriously companies take the task of protecting their own information and the information of their customers’.

Information Security Best Practices