SearchSecurity.co.uk: As the chief of security for a very large and complex international insurance company, where will you be focusing your priorities over the next year?
Paul Wood: For me, 2008 is still about getting appropriate and defined end-user access controls in place. Some people think that is just about identity and access management (IAM) but it is more than that. IAM is being oversold as a product whereas nothing on the market today really delivers it as a holistic solution. You'll see small roll-outs of it in small enterprises where it is not complex, but not in large corporations. I have yet to see a large and effective solution delivered by anybody, which deals with joiners, leavers, access rights within applications, and all in a one-stop solution.
What's the problem, do you think?
It's like PKI – a great idea in principle, but in order to make it work, you need to put the business logic behind it. To do that, you have to engage the business and get them to define roles. When you get to that point, you find there is no appetite to sit down and say this job requires this, this job requires that, and so on. It's a huge task.
So what is your approach?
You have to bring it back to manageable chunks, For me, the key is to design appropriate user access controls – if you can enhance that with technology, great, but I don't see there being a single solution provider who can integrate mail, desktop, network, internet, applications and identity with one click.
What is your approach to data leakage prevention?
We are a much more mobile workforce. People expect to be able to move information around on mobile devices. It is scary to see how it easy it is to copy large amounts of data on to a device. Data leakage is important, but we need to prioritise. You need to know where sensitive customer data is stored, and make sure you have controls about what happens to it, and how it can be removed from their systems.
What are the most important elements?
For me, culture and awareness are key. If people are not aware and not security-conscious, they can be susceptible to social engineering. All the measures you've put in place are worth nothing if they don't think before they act. Breaches are nearly always a people issue. We need to raise the profile of information security so that users understand that they all have a part to play in it, and they can be the weakest link. The technology is there, you can develop good processes, but people can be your greatest asset and also your single biggest liability. There is no patch for stupidity - if there were it would solve all our problems.
I see you have joined the board of the new Institute of Information Security Professionals. What do you hope to achieve?
I am a director representing the corporate sector. My aim on the board is to make sure the members' and the corporations voices are heard. The aim of the IISP is to raise professional standards, so we are doing a lot of work at the moment to develop job profiles for the various roles within security, salary benchmarking and also graduate recruitment programmes. We hope to achieve higher levels of training, better collaboration across organisations, and better mentoring programmes.
Is there anything that annoys you about the security industry?
Technologists that claim to have solutions that aren't real. Lots of people purport to have the answer to our prayers – and IAM is a good example of that – but it doesn't take into account the business process, or the complications. It just tries to offer a simple solution, whereas more honesty and understanding of business requirements from some of the big security vendors would be really helpful.