"Major corporations have made serious mistakes with information security recently, resulting in spectacular failures to protect business and customer records. After years of warnings, why do so many businesses still fail to deal properly with this issue? Eugene H. Spafford, a professor of computer science at Purdue University who frequently advises government, law enforcement, and big companies, has some ideas. He spoke with technology journalist Brian Krebs for Technology Review.
Spafford: Some business management organizations simply do not have a proper IT security organization, and often that function is still kept under the company's chief information officer. When that happens, the people who deal with security are way down the line, and they don't have [access to] the CEO or the company's board. So the security function of that organization isn't funded and doesn't have the authority at a high enough level to really operate the way it should. Many IT organizations have grown up from the level of system administrators who started at the bottom of the organizational hierarchy. These typically are people with computer science and technical training, but they don't speak business. They don't always understand risk or cost-benefit analyses. As a result, they are not able to present the business case for security and privacy issues. We learned recently that Sony didn't have a chief information security officer [CISO] prior to the attacks that exposed personal and financial data of more than 100 million customers."
Entrevista completa: Making the case for security