Companies are struggling to cope with tighter corporate governance regimes, which might even work against the goal of achieving improved IT security they are partly designed to promote. The need to comply with requirements such as data protection, Sarbanes-Oxley, Basel II and other corporate governance reforms is tying up IT managers in red tape, according to a banking security expert. "Recent legislation is having a negative impact on risk management," said Michael Colao, director of Information Management at Dresdner Kleinwort Wasserstein.
In some cases, the law has made IT managers legally responsible for adherence to corporate governance rules. Colao says that this may not necessarily be a good thing. "CIOs are now relying on convoluted processes rather than using sound business judgement based on years of experience. A process is easier to defend in court than personal judgement. This means that in many cases unnecessarily cautious decisions are being taken because the CIO is focusing on their own personal liability, rather than what is best for the business," he said.
Different implementations of the European Data Protection Directive in different countries are creating a headache for multinational firms, according to Colao. "This legislation was brought in as part of the EU common market and was supposed to provide clarity and harmony across Europe. Because each country implements legislation in very different ways, the result is a very fragmented and disjointed approach which causes all sorts of problems, particularly for global organisations," he said.
Colao made his comments at the Axis Action Forum, a meeting of IT directors sponsored by RSA Security, in Barcelona this week. RSA Security said differences in European legislation highlighted by Colao were a real problem for its clients.
Tim Pickard, strategic marketing director at RSA Security EMEA, said: “The nature of implementation of EU directives in member states means that it is almost impossible for today’s global CIO to be fully compliant and is therefore likely to be breaking the law in at least one member state.”
Business managers becoming fed up with FUD
In a separate study, more than a third of the 30 delegates to the Axis Action Forum admitted that their Board had never asked for an update on security or implications of security breaches. The finding suggests widespread boardroom indifference to security issues despite the high profile security has been given in the media and by numerous industry initiatives.
Firms only take security seriously in the aftermath of attacks, according to one delegate. Part of the reason could be that business managers are becoming inured to alarmist security pitches. Simon Linsley, head of consultancy and development, Philips said: "For years we have had to go to the Board with messages that create the Fear of God. We can no longer rely on these doom and gloom messages - we have to go to the Board with solutions that add value to the business."
The Axis Action Forum attended by more than 30 CIOs, IT directors and heads of security from a range of medium to large businesses. ®