In the first part of a report from an exclusive Computer
Weekly roundtable, in association with Oracle, Joe
O'Halloran discovers how IT security professionals are coping
with unprecedented demands for their services.
At the end of July 2009, the UK government downgraded its
terrorism threat level from "severe" to "substantial"; those
involved in protecting their companies' assets from IT security
threats may feel differently. In fact, they are likely to believe
that threat levels are increasing, given that many IT departments
are under unprecedented pressure not only to protect valuable
information assets from a multitude of threats, but also to reduce
costs and make an increased contribution to the profitability of
the business in general.
As organisations adapt to making valuable enterprise information
more widely available, they face a commensurate increased risk of
exposure to threats.
It is essential that firms protect business information at all
costs as this is the principal asset of any organisation. They need
to protect information from the edge to the core: to protect it
from external and internal threats and to ensure that the right
people have the right access to the right information.
Computer Weekly, in association with Oracle, invited senior IT
professionals involved in IT security to an exclusive roundtable
discussion to find out how they are reacting to these pressures.
The aim was to enable those at the front line of IT security to
share their experiences and advice on how to ensure that enterprise
information and mission-critical applications are protected inside
and outside the enterprise and compare findings on how such
protection enables business.
Initially, the delegates talked about the general threat
landscape, associated pressures and how to develop a framework by
which business assets could be protected.
So how did the panel regard the current threat landscape? Taking
the lead was renowned infosecurity figure Andrew Yeomans,
vice-president of global information security at Dresdner Kleinwort
(DrK) Investment Bank, speaking as a board member of the Jericho
Forum on the leading international IT security thought-leadership
association dedicated to advancing secure business in a global
open-network environment. He attempted to address the state of play
for risk management in depressed economic circumstances, something
he regarded as a huge set of issues with some key problems
associated with them.
"On the one side, we have organised crime entering the world of
security. A great deal of fraud has taken place and it is a big
problem for organisations. That is going to keep on pressing on.
Some of the solutions to addressing the crime being proposed right
now are probably unacceptable to the general population. If you
need the amount of intrusive, pervasive knowledge about everyone,
and if you have to see your identity at every transaction, the
majority of the public would be unhappy with that.
"[Currently] the technology underpinning our systems is not
capable of protecting the data to [a suitable] level, so we have a
lot of problems but don't really have the solutions. So how do we
move forward and meet the needs of the business and government and
citizens?"
Marty Carroll, who headed up a recent research project on IT
security for his firm Foviance, says tension is building around the
threat to business, if not security in general, because of the
potential of revenue being lost. "Customer frustration is reaching
fever pitch with the inconvenience of the process of security
protocols that businesses have in place."
Threats and challenges
So given this basis, what types of specific threat and
challenges are businesses facing? Haig Tyler, IS director of BUPA,
said there is tension between business advantage from Web 2.0
technologies and overwhelming growth in the threat landscape. His
job is about balance, he explained. "It is trying to get the
judgement call right that says we are going to exploit that
particular piece of business value and we are going the control
that threat landscape to a degree whereby we feel comfortable that
we can move forward."
His colleague, group IS security manager Phil Hunt, explained
how. "The message is that we are caring for data very much, but on
the other hand moving swiftly enough to [exploit new technologies].
Balancing the two is a challenge. Data loss prevention [technology]
is on the agenda, but there have not been any specific major
threats."
Is this the same for governmental organisations such as the MoD?
Jane Jenson, who manages identity protection for the new chief
information officer's organisation at the MoD, agreed that balance
is the key in ever more dispersed networks. "Our people are
becoming more mobile and want to access information, particularly
HR information, when they are on the move and at home, and when
they are posted to other government departments or overseas. At the
same time, we need to ensure that we protect that information. It
is a huge challenge."
The financial sector has been hit more than most in the down
economy. Jason Carter, head of IS at Experian, disagreed with the
notion that the downturn has changed the threat landscape
considerably. "There is an expectation from the general public that
companies such as Experian will protect their data. We have to be
able to protect data, but we also have to make it accessible."
Security as a business enabler
But in the new working paradigm, is the desire to be more
flexible the biggest threat to business, with the need to keep up
with business demands using the latest technology fomenting a
culture of security risk? Duncan Phillips, EMEA infosecurity
programme manager at Travelex, said many of its clients have
different compliance requirements, so keeping the customer happy
can be problematic with business ramifications. "We are regularly
checked on by our various clients, which have very different
compliance requirements. We spend a lot of time responding to
compliance requests, but if there was one standard we would stop
burning a lot of man hours."
Anthony Robinson, part of the UK security practice at Accenture,
recognised these dynamics, but made the point that there may be the
same types of attacks and issues to deal with, but the landscape
upon which those attacks are happening is growing and this has
meant change. "There is a growing acceptance in IT departments - it
may not have extended beyond that - that implementing appropriate
security is vital to enabling the business to operate in the way it
wants to. You cannot ignore the demand from the business. The
increase in collaboration and services outside the organisation
means that IT, as a business within the business, needs to react to
that. We are finding that IT in general is becoming accepting of
that fact and security is being embedded as part of the core future
infrastructure to enable the business."
Collaboration and the increasing use of cloud-based services is
a challenge. Jeane Gorman, who heads up identity management in
business development at BT Global Services, accepted that such
things were a challenge in maintaining core security. "There is a
large project going on right now in terms of bringing together the
network and sharing identity information, and it has not yet been
solved around how organisations can really federate information.
Within BT we federate within our key partners, but it is a problem
that has not been solved and is beginning to be used in anger by
the industry. The technology is there for sharing information; it
is the agreements that have to be [addressed]."
Peter Boyle, head of identity services at BT, said, "There
cannot be many firms which do not offshore development, and that
presents us with issues around compliance and data protection.
There are two sides: building an ecosystem that allows our partners
to interface with our applications to build services; and giving
our customers access to those services. It is a complicated model.
I don't think federation has really taken off. It is a trust thing
rather than a technology thing. It is an interesting challenge for
everyone."
Getting the balance right
Companies need an effective framework in which the balances
between control and freedom can be used to deliver business
advantage; a framework where firms can share information between
partners around the world, and do so securely. There have been some
horror stories whereby some firms' third-party suppliers have
mailed secure ID tags to users with a Post-it note containing the
password stuck to them.
Haig Tyler summed up what he thought the model should contain.
"We have a granular approach to security through the system. We
design [security] from the core outwards, but more importantly it
is all about people, and that is seen as our biggest risk. [You
need] to put information sedulity right out there on everyone's
desk...you have to understand what the [security] requirement is
and the business need. As business and technology professionals, we
have to get the solution right for the environment and context, and
perhaps with a bit more thought we can think more rationally about
what is a better value judgement call to give a solution that is
appropriate."
So what is the core challenge? Anthony Robinson suggested that
risk management should start at governing and managing what are the
crown jewels. "Businesses are recognising that people are the
challenge and are trying put in the [appropriate] seamless
controls, but they have started with the crown jewels on the most
important people. They have started with the board members, C-level
executives, investing in technology, so that all of the sensitive
data they have and interact with is secure, and then they start
looking at information beyond that. So we see IT departments moving
forward as one of their key tasks around information governance,
data governance and protection as services move out into service
companies and the cloud. That will be the key."
For Des Powley, technology director of security at Oracle, the
challenge is clear. "We need to deliver secure systems to the
business that protect and control risk and manage risk effectively
as appropriate to the needs of the business. But from the
perspective of users and consumersthe challenge has to be how we
deliver the most seamless form of effective security. The real
challenge in terms of business enablement is that consumers demand
more security; they demand more of governments and organisations to
protect their personal data, but they also demand a higher level of
service. Performance and availability to drive it is the real
conundrum we face."
In the second part of this round-up we will share the
strategies revealed by the panel to achieve this business
enablement and establish return on investment with minimum
disruption to the business.