Integrating IT security into corporate culture is hard to do well but pays off in long run, study shows

Organizations that adopt "window dressing" measures leave themselves more open to data breaches over time, says security researcher.

Organizations that invest in targeted IT security measures and integrate them into their culture and processes are safer than those that routinely upgrade to get the latest and greatest technology, according to a University of Alberta security researcher.

"I'm very interested in differentiating between organizations that do things as window dressing and those that take real action," said business professor Emily Block. "With IT security there are lots of components you can announce, add, feature and layer upon each other that sends external signals to deter hackers.

"But does all that really matter? Would one that was truly integrated be enough?"

Block and her team looked at security breaches in U.S. hospitals to see whether the level of adoption of security practices kept data safer.

What they found is similar to a phenomenon illustrated by the homeowner who purchases a home security system but never turns it on, instead relying on a lawn sign that broadcasts which home security firm is protecting the property.

"Symbolic adopters-the people who buy the alarm system for the sticker but don't ever turn it on-actually have fewer data breaches than those who do it more seriously, but only in the short term," Block said.

The group argued this is because developing an integrated IT system is difficult to do well. As a result, substantive adopters of an IT security system may flounder in the early stages.

"Mistakes are made and vulnerability is exposed when you begin to deeply integrate a security system into the organizational core," said Block.

However, things change.

Sticking with the lawn-sign analogy, Block said it doesn't take long for unsavoury types to start looking in windows to see that a house is protected only by a sign.

"Essentially, time makes you more vulnerable," she explained.

In the meantime, the more substantive adopters, according to Block, get their act together.

"Employees figure out how to do it properly, they stop making mistakes, everybody remembers the password and it becomes part of their routine-IT security becomes second nature," she explained.

And that's when a steep decline in effectiveness starts to develop for the symbolic adopters.

"If you just look in the short term, you may be confused as to the value of those investments, but over the long term, the value of doing it the right way increases and the value of doing it as window dressing decreases."

Block added it's not to say symbolic adoption doesn't have any benefits. Research suggests early substantive adopters are more likely to do so for technical reasons, whereas later adopters are typically symbolic and are likely to do so for legitimacy.

"Legitimacy makes you look good. And it is a deterrent, for a while."

In the end, she said, organizations struggling to integrate new technologies into their system should not give up on the technology too quickly because there is a learning curve.

"If you introduce a new technology and you still have breaches early on, it doesn't mean the system is not working; it just means you haven't given it enough time," she said.

She added that as organizations bring in policies and procedures meant to adapt to the changing threats in the environment around them, it is important to understand the benefits and drawbacks of the ways in which you integrate these new practices, and to be realistic about how long it takes to see some value.

"We sometimes count our wins too early because we think it works, when really it may be declining because we haven't done it properly," said Block. "And we also may give up a little too early when things still need to be shown and tested."

For investors in companies where privacy is a cornerstone, a simple itemization of whether they have security measures does not paint as complete a security picture as asking how the company uses that security, Block said.

"It is important for external stakeholders, savvy investors or analysts to not take the easy measurement. If you are looking for a yes/no, you are giving organizations the ability to get credit for things that may look good, but in time are going to fade very quickly."