As children growing up, we’re all taught to share. Children are told that sharing is good. They’re told that sharing makes the world a better place. In the adult world of business, however, sharing is often not encouraged. Businesses don’t share their trade secrets with their competitors. Employees aren’t likely to share what they received for raises with their coworkers. And regarding system security, sharing passwords is hardly a best practice.
However, sharing information about risk failures is beneficial to companies. So I was surprised to read that a survey by the Economist Intelligence Unit (EIU) included in a list of its findings that “knowledge about risk failures is not being widely disseminated in order to improve practices and tighten policies.”
In his blog posted on the GRC Guru group on LinkedIn.com, Norman Marks, vice president and evangelist for GRC at SAP, commented on several points that emerged from the EIU survey. With regard to the lack of sharing of information about risk failures throughout an organization, Marks commented that “this is pretty much inevitable when you have fragmented risk management, and it is ‘shaming’ for executives to admit adverse incidents.”
The EIU survey also stated that “The m
ajority of risk failures take place at the business unit level, which can lead to a tendency to address issues in isolation. More than one-quarter of respondents say that they fix the problem within the unit, outside the oversight of the wider organisation and of superiors. This suggests that a significant proportion of companies are not doing enough to share risk information and learn the broader lessons from risk failures.”
Nearly two weeks ago, however, in the wake of a demonstration by Alexander Polyakov, SAP security expert and chief technical officer at ERPScan, of a hole in the Java 2 Enterprise Edition engine in SAP NetWeaver, SAP immediately announced to the public plans to collaborate with Polyakov in developing a patch for the NetWeaver vulnerability. SAP’s quick action seems to be the model for all businesses to follow.
So why does the EIU survey indicate that businesses in general aren’t sharing information about risk failures? Besides “shaming” cited by Marks, what other reasons could cause security administrators at companies to keep risk information close to their vests? I don’t have an answer, but I’d like to see what your comments are about this issue.
For additional information:
Read Laura Casasanto’s interview with Norman Marks at