Staying true to the real risks facing organisations is
not easy for infosecurity managers, especially with a mountain of
diversions competing for their hearts. Even covering the basics is
not as straightforward as it should be.
Scare mongering, distracting supplier solutions and media hype
can all lead their attention away from their companies' unique
security needs, experts warn.
They can also find themselves standing to attention regarding
the latest data leak headlines of the day, even if they are not a
risk to their particular organisation.
Also, enthusiastic suppliers offering gourmet technology can
gobble up infosecurity managers' budgets to the detriment of bread
and butter security essentials, even more so in the current credit
crunch.
Steering clear of fashionable technology solutions, which may
not prove to be perfect problem solvers, is good advice, especially
in the crowded IT security market.
All hype
"There are always about 800 companies in the IT security
sector," says Gartner research vice-president Jay Heiser. "There
have always been far more than needed. They are always coming into
existence and either disappearing or consolidating. It is an area
with a lot of innovation, but some stuff does not work. However,
there are some areas where there is a lot of success, such as
identity and access," he says.
Heiser warns that some emerging technologies, such as data loss
prevention software, have yet to fully mature, and firms should be
sure of what they need before buying. "Data loss prevention
software works but it has not reached its potential," he says. "It
is not working perfectly for everyone. The software does function
but you need to be motivated to use it."
Lloyd's Corporation's manager for information protection and
continuity, Marcus Alldrick, says he has seen early adopters get
stung in the past. Before intrusion detection software reached its
potential it was too hot to handle, he recalls.
"There is often over hype, especially with technologies that
have not reached maturity," he says. "Ten years ago, people were
deploying IDS and suffering from overload. You need to go in with
your eyes wide open when buying and ask yourself: 'do I need a
Bentley or a Volkswagen?'
The issue is that technology and the marketing behind it is very
seductive. Suppliers are saying their solution is the silver
bullet, but it is not."
PKI was another solution that was swept up in a storm of hype,
according to Alldrick who spoke at Misti's chief security officer
summit in Geneva in December.
"PKI was the 'in' technology in the run up and during the
dot.com boom, overhyped by the suppliers and promising so much," he
says. "Although it provided a solution, it was never really
challenged at the time by the players who invested heavily in
implementing it. If ever there was a case of minds being clouded by
being de rigueur, this was it.
"It became the classic example of providing a solution
regardless of whether there was an actual problem and a
commensurate business case that justified it and its considerable
expense."
The bare necessities
But after cutting through the marketing fluff, what are the bare
basics that should be left to defend any organisation? Needless to
say, the fundamental backbones lack the glamour of an innovative
new IT kit. But experts believe they will help guide infosecurity
teams thorough the downturn.
Alldrick recommends getting priorities straight. "Mandatory
initiatives and activities should take precedence over aspirational
ones," he says. "It is just about going back to good risk
management. It is a case of recognising the critical assets and
knowing how to protect them. Every company is different, so each
one has to decide what the priority is.
"To stay on the right track, especially given the constraints in
the economic downturn, I would recommend an examination of an
organisation's risk profile and blending of the most cost-effective
controls to minimise risks around critical assets."
Heiser also advocates risk management, but adds that the
business needs to be on the same side.
"There is a lack of teamwork and the security people need to get
behind the business people," he says.
Paul Hansford, a member of the BCS Security Forum Strategic
Panel, said information security managers should defend risk
management investment vigorously to business managers during this
economic gloom.
He says, "The basics of security are about assessing the
management of risks and not flinching on jobs that are staff
intensive. It is not just about ticking a box and installing a 'fit
and forget' solution. And you need to assess this regularly. There
could be a temptation to say, 'nothing has changed.' If you buy a
firewall, you know what you are paying and what the firewall does.
But if you employ a risk management consultant you may be asked:
'how do we know we are getting value for money?'"
Back to school
Business continuity, training and awareness are also essential,
says Hansford.
"Companies can be tempted to overlook these," he says. But he
points out the importance of security awareness in preventing the
breakdown of processes, which was the prime cause of recent high
profile UK government breaches.
It came to light in early November that an IT analyst from
computer management firm Atos Origin left a memory stick in a pub
car park containing confidential pass codes to the online
Government Gateway system. The memory stick was found, but passed
on to the Daily Mail newspaper, which had a security expert examine
its contents.
The government temporarily shut down the online Government
Gateway, while it examined how the memory stick went missing.
The UK government experienced another embarrassing memory stick
blunder just a few months before. The mistake led the Home Office
to
end a contract with PA Consulting after it lost a memory stick
containing data on 84,000 criminals. PA Consulting blamed an
employee for the debacle.
"The loss of data on this project was caused by human failure,"
said a company spokeswoman in a statement.
"A single employee was in breach of PA's well established
information security processes."
But the blame game did not save the contract and the company
still had to bear responsibility for the employee actions.
"In both of the breaches involving Atos and PA Consulting, there
was a breach of process," says Hansford. "And most of the recent
breaches have involved people making mistakes. The only way around
that is educating them. If you do it properly it will cut the
number of breaches."
And there is little excuse for shirking awareness training. You
do not need to spend a lot to make an impact, says Alldrick. He
points to
Microsoft's
website where there is a plethora of security awareness
advice.
"You can go sophisticated or simple. It is essential, but
awareness is often one of the first things to go, as return on
investment is difficult to measure. There are sophisticated
internet tools available to promote awareness but a poster campaign
or a 20 minute course can be just as effective," he says.
Educating managers should be a key focus of any awareness
campaign, believes consultant expert Wendy Goucher at Idrach.
"Managers are often the people promoting insecure working," she
says.
"They often say, 'do this work at home' and claim they do not
have budgets for USB keys. It is important to raise awareness among
higher level employees."
Of course, no organisation wants an employee's forgetfulness to
cost it a heavy fine or a contract, as in the case of PA
Consulting. Every organisation dreads a memory stick full of
personal information turning up on a bus.
So Gartner's Heiser says you need to close all loopholes of this
nature. "Data leakage is no longer acceptable," he says. "The
public relations impact is significant. And most organisations
should make routine encryption of computers their priority. They
also need to decide what to do about plug and play."
Work smarter
Although Alldrick believes the media play a vital role in
reducing complacency, he says IT security managers should resist
being swayed by what the media judges is important.
For example, senior managers reading The Times may become unduly
concerned by a vague headline affecting a company in a completely
different sector. So it is up to infosecurity managers to impart a
reality check.
"We need to be careful to hold back from knee jerk reactions to
mitigate data loss at the risk of neglecting other threats,"
advises Alldrick. "If your organisation holds a lot of personal and
confidential data, then you should definitely be concentrating on
it, but you may have other pressing issues that must be dealt with
first."
Without doubt, the current economic downturn means that
organisations have to work smarter and get back to basics. Already
Forrester Research revealed in September that nearly half of US and
European financial firms have cut their technology budgets.
But slashed IT budgets do not mean customers will drop their
expectations of organisations safeguarding their data, Alldrick
points out. So security teams have to work even harder.
He also warns that cyber criminals will also feel the economic
meltdown so could up the ante to steal money. The tightened budgets
mean IT security managers need to watch their backs more than
ever.
Unfocused spending needs to be trimmed back, advises Heiser.
"There has been a culture of overspending in some areas and under
spending in others," he says. "But we cannot afford to overspend
any more."
Now more than ever, IT security managers need to know what their
company really needs and how to get it. And remaining faithful to a
risk profile is one way to keep your head while all around you are
losing theirs.
This article first appeared in Infosecurity
magazine