Work with your users to protect corporate systems, says Stuart Okin
Security is currently the IT industry’s main priority, and will remain so for the foreseeable future.
The IT security banner covers a range of issues, from securing data against accidental loss to protecting an organisation’s information, transactions and reputation from orchestrated criminal attacks. It also spans the entire end-user spectrum, from the world’s large private and public organisations to the home PC in the spare bedroom.
There is an ongoing debate as to where the overall responsibility for computer security lies. In the corporate world, the answer is usually that it lies with the head of IT or a specific working group within an organisation. Certainly, those charged with that responsibility feel the onus rests solely on their shoulders.
But the real issue is much wider than that. In the physical world, the responsibility for security lies with a host of parties. A home-owner, for example, is only partly responsible for securing their home. Central and local government, law enforcement agencies the emergency services, security product manufacturers and insurance companies are just some of the other parties in the equation.
The same is true for IT security. The end-user has a pivotal role to play, as do the software, hardware and services suppliers – alongside government, the judicial system and the arresting officer of an IT criminal.
These stakeholders rightfully expect software suppliers to deliver secure solutions based on the growing value of data assets in an increasingly data-centric world – but a secure computing environment can only be achieved through a united front.
Education boosts security
Members of the IT industry are working together to ensure the best possible protection through investment and partnership initiatives, but we still need end-users to take the necessary steps and measures to protect against security threats.
It was only a few years ago that the IT industry designed systems that ran largely within isolated environments, or where there was limited access from outside the perimeter. In the software market it was features and functionality that drove development, not security. The demands of the corporate and home computing environments have changed as technology has evolved and security threats increased.
Continuing to educate and encourage business managers and end-users to think about information security as common sense will achieve exponential improvement in computer security. Indeed, many IT security experts talk about awareness activities being the most important aspect of their job.
As most leading IT companies considered security to be a top priority, they have boosted their security-related research and development. Similarly, there is increased supplier-led investment in creating a new security mindset.
A UK example of this is Microsoft working with Leeds University to help students understand the importance of IT security through the development of a module that focuses on writing secure software.
Look to the end of the line
Systems need to be adaptive, flexible and written in modern languages so that any mitigations to a security threat or a software update can be deployed rapidly and cost-effectively, minimising the loss of business continuity. But even within this environment, people and a lack of processes still present a risk.
A lack of action from an end-user can still result in security threats infiltrating internal systems. It is like road safety: no matter how much the government invests in road improvements, how many police patrol the roads or how many safety features are installed by car manufacturers, there is still an onus on drivers to take care when driving.
We are in an exciting period where the e-world underpins the real world. Although this enables us to deliver on improvement in business and our daily lives, it also requires increased vigilance to create a secure computing environment.
With the industry working together, we can engineer an increased awareness among customers and end-users, help businesses secure IT perimeters to ensure protection against security threats in the e-world.
Stuart Okin is chief security adviser at Microsoft