April 03, 2003
7:30 to 10:00 AM
Temple University Main Campus
After 9/11 security has become an important topic in industry and government. IT security already under pressure from the threat of viruses and hackers has become even more complex and important. There continue to be major misconceptions about what is feasible, practical, and important. A completely secure enterprise is not a realistic goal but how much is a company willing to spend to go from 80% security to 90%? The panel will provide insights on the relative role of IT security in the management of the enterprise.
- Raymond Blair, Vice President – Global Security Solutions, IBM
- James Finn, Principal, eBusiness Security, Unisys
- Douglas Hurd, Senior Product Manager, Network Associates International
- R.K. Raghavan, eSecurity Practice Head, Tata Consultancy Services
- Tommie Sonby, Vice President of Technology, Concord EFS, Inc
- Nicholas Economidis, Vice President, AIG eBusiness Risk Solutions
The key points highlighted by the panel include:
Quality vs. Quantity
Focus your IT-security resources appropriately. Many organizations focus an inordinate mount of resources on a limited number of “quality” attacks. Quality attacks typically required a great deal of sophistication, and as a result are infrequently seen in real life. Rather, organizations should focus on “quantity” attacks which require less user-knowledge on behalf of the attacker, but happen with much greater frequency. For example, “social engineering” involves relatively little knowledge of computer systems but rather involves convincing users to divulge User-ID’s, passwords and other information.
Security is a Management Function
As fast as companies employ new security measures, hackers and criminals invent new ways to cause damage. As a result, IT-security is not a something that can be purchased off the shelf. Rather, good IT-security is a management function. IT-security involves the same critical elements as any other management function. These include:
- Analysis and Assessment: educate yourself as to what the risks are, what laws/regulations you may be subject to, where you may be vulnerable and what your security options are.
- Implement appropriate risk controls: take reasonable actions to prevent and mitigate loss. Plan for recovery and business continuity should an incident occur.
- Feedback: Review the results of your security efforts, note changes in the environment, and make changes as necessary. Security is a continuous effort.
- Fundamentals: The Importance of Basic Blocking and Tackling.
Focus on the fundaments of good security. Some of the fundamentals highlighted by the panel included:
- Data Backup
- User Awareness Training
- Policy & Controls (instructing users what is permissible)
- Delegation of duties (assigning security as a responsibility);
- Separation of duties (don’t rely on a single employee; have appropriate checks and balances).
- Compliance: audit for compliance with policies and controls.
- It’s Not What You Spend on Security, but How You Spend It!
There is no magic formula for how much to spend on security. The importance is to spend wisely and in an appropriate manner. Avoid spending money on “vanity” items that may sound good but provide few real benefits. Don’t rely on technology along for security. The following allocation for a security budget was provided as an example:
- 15% Policy development and maintenance
- 40% User awareness training
- 10% Assessment
- 20% Technology (software and hardware)
- 15% Compliance