'CEOs know nothing about security'

The fourth European IT security conference opened in Amsterdam yesterday - with a damning indictment of CEOs who fail to understand the value and the costs of security.

While cyberterrorism and other fad-threats haven't turned out to be pose the risks which many experts had predicted, the number one source of tech threat remains inside a business itself - its staff and its internal processes, according to Arjen van Zanten of KPMG's risk management business.

He claimed there still exists a cultural barrier between IT departments and the board.

"The board of directors don't understand anything about security," he said.

Tom Scholtz, VP of research firm Meta Group, replied "but the heads of IT, and above all those in charge of security, aren't up to the job of reassuring them", in the course of a roundtable on the value of security.

Just a few years ago, IT security was considered a restriction on businesses. Like putting the brakes on a vehicle only has one result: it slows down how fast you can go. Today, luckily, it's considered as a sign of confidence and people realise that using the brakes actually helps you go to faster.

That rather convoluted metaphor comes courtesy of Art Coviello, CEO of RSA Security, speaking at the Amsterdam conference.

For RSA and other security vendors, the problem is to convince business bosses that knowing how to safely conduct business over the internet is about more than knowing how to guard against attacks or malware targeting their IT systems.

Jerome Thorel writes for ZDNet France