Managing information security

DISCLAIMER: All opinions in this column reflect the views of the author(s), not of EURACTIV Media network.

Managing information security

“Protecting proprietary information is becoming ever more important. To do so, many companies are looking beyond technology-and their technology managers. “

The McKinsey Quarterly, 2002 Number 2

Policy relevance:

On 23 April 2002 the Commission adopted a draft Council framework decision on “attacks against information systems”. Member States should implement this Decision by 31 December 2003. The Commission should, by 31 December 2004, submit a report to the European Parliament and the Council on the operation of the Decision, accompanied where necessary by legislative proposals.

Main conclusions:

  • Attacks on corporate information systems by hackers, viruses, worms, and the occasional disgruntled employee are increasing dramatically, and costing companies a fortune;
  • Because of concerns of negative publicity, almost two-thirds of all incidents probably go unreported;
  • Most companies continue to view information security as a technological problem, calling for technological solutions;
  • Some companies are hiring a chief security officer (CSO), who works with business leaders and IT managers to assess the business risks of losing key systems and to target security spending at business priorities;
  • The role of information security, and therefore of the CSO, varies by industry, the value of the company’s data, and the intensity of the regulatory requirements it faces;
  • Today, most business leaders currently pay as little attention to the issue of information security as they once did to security;
  • In a networked world, however, companies at risk can no longer dismiss hackers as “merely pesky trespassers” who can be kept at bay by technological means alone.

Subscribe to our newsletters