Corporate governance goals impossible - RSA

Fri Nov 5 07:01:10 PST 2004

<http://www.theregister.co.uk/2004/11/04/rsa_redux/print.html>

The Register

 Biting the hand that feeds IT

The Register ; Business ; Management ;

 Original URL: http://www.theregister.co.uk/2004/11/04/rsa_redux/

Corporate governance goals impossible - RSA
By John Leyden (john.leyden at theregister.co.uk)
Published Thursday 4th November 2004 16:43 GMT

Companies are struggling to cope with tighter corporate governance regimes,
which might even work against the goal of achieving improved IT security
they are partly designed to promote. The need to comply with requirements
such as data protection, Sarbanes-Oxley, Basel II and other corporate
governance reforms is tying up IT managers in red tape, according to a
banking security expert. "Recent legislation is having a negative impact on
risk management," said Michael Colao, director of Information Management at
Dresdner Kleinwort Wasserstein.

In some cases, the law has made IT managers legally responsible for
adherence to corporate governance rules. Colao says that this may not
necessarily be a good thing. "CIOs are now relying on convoluted processes
rather than using sound business judgement based on years of experience. A
process is easier to defend in court than personal judgement. This means
that in many cases unnecessarily cautious decisions are being taken because
the CIO is focusing on their own personal liability, rather than what is
best for the business," he said.?

Different implementations of the European Data Protection Directive in
different countries are creating a headache for multinational firms,
according to Colao. "This legislation was brought in as part of the EU
common market and was supposed to provide clarity and harmony across
Europe. Because each country implements legislation in very different ways,
the result is a very fragmented and disjointed approach which causes all
sorts of problems, particularly for global organisations," he said.

Colao made his comments at the Axis Action Forum, a meeting of IT directors
sponsored by RSA Security, in Barcelona this week. RSA Security said
differences in European legislation highlighted by Colao were a real
problem for its clients.

Tim Pickard, strategic marketing director at RSA Security EMEA, said: "The
nature of implementation of EU directives in member states means that it is
almost impossible for today's global CIO to be fully compliant and is
therefore likely to be breaking the law in at least one member state."

Business managers becoming fed up with FUD

In a separate study, more than a third of the 30 delegates to the Axis
Action Forum admitted that their Board had never asked for an update on
security or implications of security breaches. The finding suggests
widespread boardroom indifference to security issues despite the high
profile security has been given in the media and by numerous industry
initiatives.

Firms only take security seriously in the aftermath of attacks, according
to one delegate. Part of the reason could be that business managers are
becoming inured to alarmist security pitches. Simon Linsley, head of
consultancy and development, Philips said: "For years we have had to go to
the Board with messages that create the Fear of God. We can no longer rely
on these doom and gloom messages - we have to go to the Board with
solutions that add value to the business."

The Axis Action Forum attended by more than 30 CIOs, IT directors and heads
of security from a range of medium to large businesses. .

Related stories

UK corporate governance bill to cost millions
(http://www.theregister.co.uk/2004/09/08/companies_bill_it_costs/)
Hackers cost UK.biz billions
(http://www.theregister.co.uk/2004/04/28/dti_security_survey/)
IT voices drowned in corporate governance rush
(http://www.theregister.co.uk/2004/04/22/it_in_corporate_governance/)
Big.biz struggles against security threats
(http://www.theregister.co.uk/2004/10/27/netsec_security_survey/)

) Copyright 2004

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'