Fox IT Symposium
Security: What is real and truly important in securing the enterprise?
April 03, 2003
7:30 to 10:00 AM
Fox/Gittis Foyer
Liacouras Center
Temple University Main Campus
Panelists
Raymond
Blair, Vice President - Global Security Solutions, IBM
James Finn,
Principal, eBusiness Security, Unisys
Douglas Hurd,
Senior Product Manager, Network Associates International
R.K.
Raghavan, eSecurity Practice Head, Tata Consultancy Services
Tommie Sonby,
Vice President of Technology, Concord EFS, Inc
Moderator
Nicholas Economidis, Vice President, AIG eBusiness Risk Solutions
After 9/11 security has become an important topic in industry and government.
IT security already under pressure from the threat of viruses and hackers has
become even more complex and important. There continue to be major
misconceptions about what is feasible, practical, and important. A completely
secure enterprise is not a realistic goal but how much is a company willing to
spend to go from 80% security to 90%? The panel will provide insights on the
relative role of IT security in the management of the enterprise.
Event Summary
The key points highlighted by the panel include:
Quality vs. Quantity
Focus your IT-security resources appropriately. Many organizations focus an
inordinate mount of resources on a limited number of “quality” attacks. Quality
attacks typically required a great deal of sophistication, and as a result are
infrequently seen in real life. Rather, organizations should focus on “quantity”
attacks which require less user-knowledge on behalf of the attacker, but happen
with much greater frequency. For example, “social engineering” involves
relatively little knowledge of computer systems but rather involves convincing
users to divulge User-ID’s, passwords and other information.
Security is a Management Function
As fast as companies employ new security measures, hackers and criminals
invent new ways to cause damage. As a result, IT-security is not a something
that can be purchased off the shelf. Rather, good IT-security is a management
function. IT-security involves the same critical elements as any other
management function. These include:
- Analysis and Assessment: educate yourself as to what the risks are, what
laws/regulations you may be subject to, where you may be vulnerable and what
your security options are.
- Implement appropriate risk controls: take reasonable actions to prevent and
mitigate loss. Plan for recovery and business continuity should an incident
occur.
- Feedback: Review the results of your security efforts, note changes in the
environment, and make changes as necessary. Security is a continuous effort.
- Fundamentals: The Importance of Basic Blocking and Tackling.
Focus on the fundaments of good security. Some of the fundamentals
highlighted by the panel included:
- Data Backup
- User Awareness Training
- Policy & Controls (instructing users what is permissible)
- Delegation of duties (assigning security as a responsibility);
- Separation of duties (don’t rely on a single employee; have appropriate
checks and balances).
- Compliance: audit for compliance with policies and controls.
- It’s Not What You Spend on Security, but How You Spend It!
There is no magic formula for how much to spend on security. The importance
is to spend wisely and in an appropriate manner. Avoid spending money on
“vanity” items that may sound good but provide few real benefits. Don’t rely on
technology along for security. The following allocation for a security budget
was provided as an example:
- 15% Policy development and maintenance
- 40% User awareness training
- 10% Assessment
- 20% Technology (software and hardware)
- 15% Compliance
| 