Enabling business while minimising risk

In the first part of a report from an exclusive Computer Weekly roundtable, in association with Oracle, Joe O'Halloran discovers how IT security professionals are coping with unprecedented demands for their services.

In the first part of a report from an exclusive Computer Weekly roundtable, in association with Oracle, Joe O'Halloran discovers how IT security professionals are coping with unprecedented demands for their services.

At the end of July 2009, the UK government downgraded its terrorism threat level from "severe" to "substantial"; those involved in protecting their companies' assets from IT security threats may feel differently. In fact, they are likely to believe that threat levels are increasing, given that many IT departments are under unprecedented pressure not only to protect valuable information assets from a multitude of threats, but also to reduce costs and make an increased contribution to the profitability of the business in general.

As organisations adapt to making valuable enterprise information more widely available, they face a commensurate increased risk of exposure to threats.

It is essential that firms protect business information at all costs as this is the principal asset of any organisation. They need to protect information from the edge to the core: to protect it from external and internal threats and to ensure that the right people have the right access to the right information.

Computer Weekly, in association with Oracle, invited senior IT professionals involved in IT security to an exclusive roundtable discussion to find out how they are reacting to these pressures. The aim was to enable those at the front line of IT security to share their experiences and advice on how to ensure that enterprise information and mission-critical applications are protected inside and outside the enterprise and compare findings on how such protection enables business.

Initially, the delegates talked about the general threat landscape, associated pressures and how to develop a framework by which business assets could be protected.

So how did the panel regard the current threat landscape? Taking the lead was renowned infosecurity figure Andrew Yeomans, vice-president of global information security at Dresdner Kleinwort (DrK) Investment Bank, speaking as a board member of the Jericho Forum on the leading international IT security thought-leadership association dedicated to advancing secure business in a global open-network environment. He attempted to address the state of play for risk management in depressed economic circumstances, something he regarded as a huge set of issues with some key problems associated with them.

"On the one side, we have organised crime entering the world of security. A great deal of fraud has taken place and it is a big problem for organisations. That is going to keep on pressing on. Some of the solutions to addressing the crime being proposed right now are probably unacceptable to the general population. If you need the amount of intrusive, pervasive knowledge about everyone, and if you have to see your identity at every transaction, the majority of the public would be unhappy with that.

"[Currently] the technology underpinning our systems is not capable of protecting the data to [a suitable] level, so we have a lot of problems but don't really have the solutions. So how do we move forward and meet the needs of the business and government and citizens?"

Marty Carroll, who headed up a recent research project on IT security for his firm Foviance, says tension is building around the threat to business, if not security in general, because of the potential of revenue being lost. "Customer frustration is reaching fever pitch with the inconvenience of the process of security protocols that businesses have in place."

Threats and challenges

So given this basis, what types of specific threat and challenges are businesses facing? Haig Tyler, IS director of BUPA, said there is tension between business advantage from Web 2.0 technologies and overwhelming growth in the threat landscape. His job is about balance, he explained. "It is trying to get the judgement call right that says we are going to exploit that particular piece of business value and we are going the control that threat landscape to a degree whereby we feel comfortable that we can move forward."

His colleague, group IS security manager Phil Hunt, explained how. "The message is that we are caring for data very much, but on the other hand moving swiftly enough to [exploit new technologies]. Balancing the two is a challenge. Data loss prevention [technology] is on the agenda, but there have not been any specific major threats."

Is this the same for governmental organisations such as the MoD? Jane Jenson, who manages identity protection for the new chief information officer's organisation at the MoD, agreed that balance is the key in ever more dispersed networks. "Our people are becoming more mobile and want to access information, particularly HR information, when they are on the move and at home, and when they are posted to other government departments or overseas. At the same time, we need to ensure that we protect that information. It is a huge challenge."

The financial sector has been hit more than most in the down economy. Jason Carter, head of IS at Experian, disagreed with the notion that the downturn has changed the threat landscape considerably. "There is an expectation from the general public that companies such as Experian will protect their data. We have to be able to protect data, but we also have to make it accessible."

Security as a business enabler

But in the new working paradigm, is the desire to be more flexible the biggest threat to business, with the need to keep up with business demands using the latest technology fomenting a culture of security risk? Duncan Phillips, EMEA infosecurity programme manager at Travelex, said many of its clients have different compliance requirements, so keeping the customer happy can be problematic with business ramifications. "We are regularly checked on by our various clients, which have very different compliance requirements. We spend a lot of time responding to compliance requests, but if there was one standard we would stop burning a lot of man hours."

Anthony Robinson, part of the UK security practice at Accenture, recognised these dynamics, but made the point that there may be the same types of attacks and issues to deal with, but the landscape upon which those attacks are happening is growing and this has meant change. "There is a growing acceptance in IT departments - it may not have extended beyond that - that implementing appropriate security is vital to enabling the business to operate in the way it wants to. You cannot ignore the demand from the business. The increase in collaboration and services outside the organisation means that IT, as a business within the business, needs to react to that. We are finding that IT in general is becoming accepting of that fact and security is being embedded as part of the core future infrastructure to enable the business."

Collaboration and the increasing use of cloud-based services is a challenge. Jeane Gorman, who heads up identity management in business development at BT Global Services, accepted that such things were a challenge in maintaining core security. "There is a large project going on right now in terms of bringing together the network and sharing identity information, and it has not yet been solved around how organisations can really federate information. Within BT we federate within our key partners, but it is a problem that has not been solved and is beginning to be used in anger by the industry. The technology is there for sharing information; it is the agreements that have to be [addressed]."

Peter Boyle, head of identity services at BT, said, "There cannot be many firms which do not offshore development, and that presents us with issues around compliance and data protection. There are two sides: building an ecosystem that allows our partners to interface with our applications to build services; and giving our customers access to those services. It is a complicated model. I don't think federation has really taken off. It is a trust thing rather than a technology thing. It is an interesting challenge for everyone."

Getting the balance right

Companies need an effective framework in which the balances between control and freedom can be used to deliver business advantage; a framework where firms can share information between partners around the world, and do so securely. There have been some horror stories whereby some firms' third-party suppliers have mailed secure ID tags to users with a Post-it note containing the password stuck to them.

Haig Tyler summed up what he thought the model should contain. "We have a granular approach to security through the system. We design [security] from the core outwards, but more importantly it is all about people, and that is seen as our biggest risk. [You need] to put information sedulity right out there on everyone's desk...you have to understand what the [security] requirement is and the business need. As business and technology professionals, we have to get the solution right for the environment and context, and perhaps with a bit more thought we can think more rationally about what is a better value judgement call to give a solution that is appropriate."

So what is the core challenge? Anthony Robinson suggested that risk management should start at governing and managing what are the crown jewels. "Businesses are recognising that people are the challenge and are trying put in the [appropriate] seamless controls, but they have started with the crown jewels on the most important people. They have started with the board members, C-level executives, investing in technology, so that all of the sensitive data they have and interact with is secure, and then they start looking at information beyond that. So we see IT departments moving forward as one of their key tasks around information governance, data governance and protection as services move out into service companies and the cloud. That will be the key."

For Des Powley, technology director of security at Oracle, the challenge is clear. "We need to deliver secure systems to the business that protect and control risk and manage risk effectively as appropriate to the needs of the business. But from the perspective of users and consumersthe challenge has to be how we deliver the most seamless form of effective security. The real challenge in terms of business enablement is that consumers demand more security; they demand more of governments and organisations to protect their personal data, but they also demand a higher level of service. Performance and availability to drive it is the real conundrum we face."

In the second part of this round-up we will share the strategies revealed by the panel to achieve this business enablement and establish return on investment with minimum disruption to the business.

Read more on IT risk management