LONDON -- The Infosecurity Europe 2011 conference kicked off today with panel discussions on two important issues for security pros: how to manage security on a budget, and what to do about smartphones. The answer to both, it turned out, is good risk management.
You need to move from having a security policy to having a security strategy for the business.
Steve Knight, information security officer, Aspen Re
An opening session brought together CISOs from the insurance, retail and the legal sector to discuss the question: “When do you stop spending on security?” In other words, how do you decide when the company is secure enough?
Michael Colao, head of information security at insurance underwriters Beazley Group, said that moving from his previous job at an investment bank was a revelation. “Working for an insurance company has completely changed the way I understand risk,” he said, because the whole insurance industry is based on making clear assessments of risk, and then putting a price to it.
“If I say that something unlikely but expensive could happen to us, they’ll ask how unlikely and how expensive. These are calculations they are used to making,” Colao said. “You can’t use fear, uncertainty and doubt with these people. We convert risk to money, decide what it will cost to control, and then make the decision.”
Andrew Rose, CISO at law firm Clifford Chance, proposed a similar approach, adding that it is necessary to build a common set of terms across the company so every department looking at risk will have common standards by which to judge what constitutes, for example, a “catastrophic” risk.
Rose added that, rather than setting the security budget first, it makes more sense to assess risks, assess the costs of controlling them and then match them to the organisation’s appetite for risk. That way, any budget demanded will be fully justified.
And don’t be afraid to talk down your own budget. Colao said that, on occasion, he has done a risk assessment that showed spending could be cut in some areas. “It buys you a lot of credibility if you can demonstrate a willingness to cut budget when you can,” he said.
However, the discussion moderator Wendy Nather, a security analyst with the 451 Group, pointed out that all those on the panel were from large organisations, whereas a lot of smaller companies live below what she called the “security poverty line,” where they have no dedicated security people and often just a small IT department.
“Your risk tolerance can be very high when you have no money,” Nather said.
Risk management also dominated the following session, in which participants tried to decide whether smartphones were a boon or a curse to business. Gary Cheetham, CISO at insurance company NFU Mutual, reported that members of his company were pushing to use more mobile devices, despite his misgivings about some smartphone security issues.
Michael Everall, CISO for Lehman Brothers Holdings, said he was also in the process of rewriting his company’s mobile usage policy to accommodate demand for a wider range of mobile devices.
They and others on the discussion panel agreed it was futile to resist the rise of the smartphone and mobile tablets, such as the iPad, but they all worried the devices (with the exception of the BlackBerry) were built primarily as consumer devices and were difficult to manage from the point of view of security and policy.
Everall said trying to support a growing range of devices is too difficult. “The device is not the issue. Our goal should be to look after the data and focus on the basics of confidentiality, integrity and availability,” he said.
Various mobile device management products were considered by the panel – Good Technology Inc., MobileIron Inc. and Sybase Inc. were all mentioned as having useful products – but technology was only part of the answer, the panel concurred.
Cheetham said the risks need to be explained to the company, and the appetite for risk defined. Everall added this should include a change of approach that ensures users understand both the risks and their responsibilities when they choose to download corporate data onto their personal mobile devices. “[Users] need to understand that the data still belongs to the organisation, and they have a responsibility for its security,” he said.
User education: Cheap but effective
A prevalent theme during the day’s events was the power of good user education, training and awareness in managing and assessing risk.
Lehman’s Everall favoured lunchtime sessions with users, with pizza provided, where he could explain why security mattered and why the security department was implementing policies. Users were also given free security software for their home systems.
When he joined Beazley, Colao carried out approximately 140 interviews with people around the company to get their views on what mattered and where risks were, and this helped refocus the company’s security posture. He has maintained strong links with departments to ensure security is seen as a benefit to business rather than a blocker. “User education can be far more effective than a large technical investment,” he said.
Steve Knight, information security officer at reinsurance company Aspen Re, who spoke in the security budgeting discussion, had also carried out workshops wherein workers from multiple departments had participated (with sandwiches provided) and where they helped rank the seriousness of a whole range of risks. This close relation was also fostered by running sessions to help users secure their home computers.
“Good security should be just part of the routine of the business,” Knight said, “not contained in a separate policy document. You need to move from having a security policy to having a security strategy for the business.”