How Do You Get A Client To Do Security Right?

At a time when it seems no one can escape warnings about securing corporate information infrastructures from potential cyberattack, organizational complexity gets in the way of better security practices, according to a global survey by The Ponemon Institute and Citrix Systems.

The survey on IT security infrastructure, released this week, found that 83 percent of businesses – about five of every six – believe they're most at risk because of organizational complexities. "Employees are not following corporate security requirements because they are too difficult" to allow them to be productive, and policies get in the way of their ability to work the way they want to, according to a statement from the two organizations.

Ponemon and Citrix also cited the rise of "shadow IT," part of the organization outside the corporate IT organization that makes technology policy and purchasing decisions. Employees embrace shadow IT because they "want easier ways to get their work done."

The survey result is not a surprise to Matt Johnson, CEO and president of Phalanx Secure Solutions, a security solutions provider based in Baltimore.

Johnson said organizational complexity and politics "always" get in the way.

"The IT director wants to do Plan A, but the board wants to do Plan B, and the employees want to do Plan C," Johnson told ITBestOfBreed.

The best way to break through that, Johnson added, is through the IT organization since it "generally makes all the decisions at the end of the day."

Outside IT, Johnson said his people will tell a company's board and upper management to let the IT people lead on security, and " don't try to get involved if you don’t know what you're doing."

Stelios Valavanis, founder and president of onShore Networks, a managed security services provider based in Chicago, believes businesses need to focus on crafting solid security policies first. Organizational complexity can get in the way, he concedes, but shouldn't be used as an "excuse" to avoid getting tougher on security.

Also, a business can clamp down or restrain shadow IT, "but organizations need to be flexible," Valavanis said. "There are things they can do" on the policy side, he said, adding: "It's all addressable and it's not hard, expensive stuff."