Witness the reaction of Sars to an interview request about how it combats security threats. Dr Hettie Booysen, senior manager: TPD Risk Management at Sars, responded succinctly: "After discussion with Ken [Jarvis, outgoing chief information officer], we are not able to share this kind of information with you."
While disappointing - Sars is after all one of the most innovative local organisations when it comes to using technology - it is perfectly understandable. The recently unveiled facility for filing tax returns electronically is an example of innovation, but also an illustration of how dependent organisations are becoming on the Internet, the prime access mechanism for security breaches these day.
And while we`re on the subject, it might be a good time to note that there is only one foolproof way to ensure that IT systems are secure, and that is to pull the plug on the Internet. However, doing so will put you right back in the Middle Ages. And that`s not all. According to Roy Blume, research manager at BMI-TechKnowledge (BMI-T), there`s a softer side to Internet access; cutting it off will just end up alienating staff.
"People assume Internet access is their right ... and if you take it away they`ll start looking for [an employer] who won`t," he says. Sobering thought to add to the list.
So how does a CIO cope with such conflicting pressures?
GOT TO HAVE IT
Network Solutions is a company that wouldn`t have a business without the Internet. CEO of the Web hosting and design firm, Champ Mitchell, recently penned an article first published in Chief Executive magazine (issue 214), in which he argues that security is not just the responsibility of the IT department.
"Not focusing on Internet security is like opening the cash register to hackers and thieves," he wrote.
Standard Bank`s director: technology engineering, Herman Singh, has adopted a rather unique approach to security. He takes his guidance from a concept first seen in the manufacturing industry in post-World War II Japan, called Kaizen.
Singh has evolved this into a four-step process. "Step one sees us develop a strategic radar system, which warns us about future threats; step two is defending the fort; step three is defending the customer or user; and step four identifies points of failure and has us learn from them. Basically: plan, do, check, act," he explains.
The key point is continuous improvement. Gartner research VP, Tom Scholtz, thinks it`s just as well. "As technology keeps evolving and we continue to move toward the opening of enterprise IT systems through the use of Web services and Internet-based connectivity, [security] is going to be a problem that needs addressing."
His colleague and also research VP at Gartner, Ant Allan, agrees but notes that organisations are becoming increasingly cost-sensitive.
While the cynic might suggest the concept of `cost-effective security` rates right up there with oxymorons like `military intelligence`, Allan explains: "The organisation has to understand what security measures are appropriate, what safeguards it needs. It needs to look at its risk situation: the technical threats, operational risks, and the need for regulatory compliance.
"There are certain controls and safeguards which must be in place, but finding more cost-effective ways is in order," he says. One way to cut costs is to buy a combo - a single appliance offering firewall, anti-virus, spam filtering, intrusion detection and prevention.
BMI-T`s Blume believes enterprises need a multi-pronged defence, a so-called unified threat management system. "They have to be modular and expandable; CIOs are sick and tired of buying something now, and in a few weeks` time they have to buy something different."
START DEMANDING
"So they`re starting to demand things of vendors, solutions that will have a long lifespan, don`t break the bank, are modular and easily installed and increased as new threats arrive," he adds. Scholtz believes the real issue for CIOs is not necessarily cost, it`s selling an idea to management. "You can`t really calculate the ROI [return on investment]," he says.
Andrew Kellett, senior research analyst at Butler Group, agrees: "[Failing clear ROI] one of the drivers in Europe," he adds, "is not getting sent to jail. "Properly protecting information, in line with compliance and regulatory laws, is becoming an issue."
Although we`re some years behind Europe in imposing data retention and security regulation, it`s on its way. Blume suggests local organisations may have to take their heads out of the sand.
One technologist who`s got his head up is Standard Bank`s Singh, and he isn`t waiting for regulation to tell him to protect his information. Neither is he looking for a silver bullet solution.
"We have a strategy that looks at each of the threats in turn. Take phishing. No single solution can fix it. It`s just impossible. We have a rapid response system where we work with an American partner. They are able to detect phishing attacks as they happen, to identify the [source] of the attack and they work with us to ensure that it gets shut down," he explains.
One of the more challenging threats faced by most organisations today is mobility. "The big issue [with mobility] is the device is no longer the thing you want to protect. It`s the data on the device that`s important. So what we`re seeking to do is protect it at every stage, whether in transit or in storage," says Singh.
Since data in transit is generally encrypted already, the bank is focusing on the devices used to store data. "We`re rolling out a piece of software that allows us to encrypt the data on every hard drive, USB memory stick, and so on."
Butler`s Kellett believes the mobility threat goes beyond laptops, PDAs and USB memory sticks. "Some of the new music devices that people bring into the office [are] essentially storage devices and plug into a USB port," he says. And while there are solutions available for managing what is and isn`t allowed on USB ports he notes that most organisations don`t bother yet. "As usual it`s a case of the industry catching up with the threats once they`ve started to happen," opines Kellett.
SOME RISK IS GOOD
Gartner`s Scholtz, who will be presenting at the ITWeb Security Summit later this month, offers some final advice: "The objective of a security practitioner should not be to eliminate all risks because ... if you have no risk you have no return on your capital. The objective is to reduce unnecessary risk, to manage and understand residual risk and get better at how you identify and eliminate such risks over time.
|
Post a comment
|
Login.
Business Best Practise
