Breaking the corporate shackles

Last month hackers had some fun with the official Web site of Britain’s ruling Labour party. No fan of Prime Minister Tony Blair, the hackers posted a photo of U.S. president George W. Bush holding his dog. Unfortunately for Blair, his head replaced that of the dog. It could have been humorous, in a childish sort of way, were it not for the security ramifications. A Labour party spokesperson said it would be “looking into” improving security.

This response is called the burned finger syndrome and, unfortunately, is the norm for most Canadian companies. Potential problems are ignored until they become real, and even then they are not a top priority. Trying to understand this corporate logic tests one’s resolve. But part of the problem undoubtedly lies in the misguided notion of aligning IT security to IT itself.

Surveys abound of CEOs and senior executives saying their IT systems are secure. But, how do they know? They have too many other concerns and constraints to realistically put IT security at the top of their list. They are also at the mercy of CIOs, whose word is often taken as gospel. This is not a problem until there is a conflict of interest, when a CIO must choose between improved application accessibility or functionality and improved security. Since CIOs are ultimately responsible for all of IT, security often gets compromised.

Today there is a move to take security out from under IT’s umbrella and give it a home of its own, one where chief security officers (CSOs) report not to the CIO, as is often the case, but rather to another, non-technical, executive officer.

“It is the fox in the hen house,” said Gene McLean, CSO with Telus Communications Inc, referring to a CIO overseeing security. At Burnaby B.C.-based Telus, McLean reports to the chief of general council. When times are tough for the CIO, as is often the case in a slow economy, “the first thing to go is security,” he said.

Reporting to the CIO “is a dreaded conflict,” agreed WhiteHat Inc.’s CSO Tom Slodichak. He has seen little evidence that more than a quarter of Canadian companies, ones which actually have a CSO or CISO (chief information security officer), have a chain of command which takes technology security out from under IT.

One company that has altered this chain of command is the BMO Financial Group. Though Robert Garigue, BMO’s vice-president and CISO, reports to the chief operating officer of the technology group, he can, when appropriate, voice his concerns to the operational risk management group, which oversees the bank’s entire risk posture and sits outside of IT’s umbrella.

Individual business units still decide the level of risk they are willing to accept. But if Garigue deems the risk to be too high, he can intervene. “When there is a fundamental exposure that is so great, that is beyond one line of business, then I escalate,” he said. This escalation can stay inside IT, or, if he deems it necessary, go outside to the operational risk management group in order to find an appropriate resolution to the problem.

Garigue has done this only a couple of times in his tenure at BMO, he said, since security is generally ingrained into corporate thinking, but in those few cases when he intervened it was more about educating business people than dealing with obstinate individuals bent on pushing a project forward at all cost. “People didn’t realize what risk they were taking on,” Garigue said from his Toronto office.

However, there was one instance when Garigue felt a group was “going too fast” and needed “cool their heels.” He asked for an increase in due diligence around testing, which he got, and ultimately the group learned something new about IT security.

“It worked out very well.”

Autonomy takes time

Simon Perry agrees with the strategy used at the BMO Financial Group, and he is not a stickler for exactly who a CSO reports to. “CFO, COO, CEO, those are all preferable to IT.” But unlike BMO, “the majority of security today still reports (only) to IT,” he said.

Perry, the London-based divisional vice-president of Computer Associates Inc.’s eTrust, said security’s move outside of IT is happening “but it is definitely slow.”

Due to this lack of autonomy, senior executives rarely find out about IT security problems until they are too large to ignore and often have entered the public eye. “Changes are only implemented today if they improve business function or if they fix a problem which is already causing an impact,” Perry said. “Most security-related patches aren’t solving something which has already caused a problem, they are closing a [hole] which could be exploited.”

Changing Canada’s corporate mentality will not be a quick fix since imperfect probabilities forecasting catastrophic events don’t sell well in the boardroom.

“It takes years to build an effective, enterprise-scale information security management program,” said Richard Reiner, CEO of FSC Internet Corp. in Toronto. Many companies have efforts underway to change their business model but for the most part they are “flailing,” he said.

A good starting point is the ISO 17799 security standard. “It is a road map of the areas an organizations should consider,” Reiner said. An indicator that information security is not solely an IT issue is demonstrated by the fact only three of the 10 ISO 17799 categories fall specifically under IT. “It really makes very little sense for a director of information technology, even a CIO, to have overall information security responsibility,” he said.

“The functional side of security should not be part of IT,” agreed Michael Murphy, the Toronto-based general manager of Symantec Canada. The “network (administrators) can manage the boxes but not their security since they are more concerned with the uptime and productivity,” he said. “Security guys need to own the management and software which these boxes run on.”

This is precisely what they do at BMO. There the technology is controlled by IT but security strategies and policies are controlled by the IT security group. “We are there to verify that (the administrator) has hardened (the technology), that it is current, that there are no inherent vulnerabilities,” Garigue said.

In a nutshell, let IT run the technology but make sure IT security has a say in how it is run and, most importantly, make sure they report to different people.

Balancing risk, selling horror

An often-heard complaint is that IT security is not properly considered when new applications and services are developed.

At BMO, new IT offerings are run by Garigue’s office and if they don’t address all security concerns a dialogue is started. Part of Garigue’s job is to inform and educate business managers of the potential risks for applications and services being developed.

“Ultimately it comes down to a trade off,” he said. “The technology risk and business risk have to be balanced out.” Often decreasing one increases the other.

But if a business group decides not to listen, there is always fear, uncertainty and horror. Unfortunately this technique is still used because it is often the last resort. Just ask jeans maker Guess Inc.

The U.S. Federal Trade Commission recently settled a case with Guess in which the agency accused the company of not taking appropriate measures to secure its Web site. The agency accused Guess of leaving its Web site open to “commonly known” attacks for several years. Though Guess claimed to store customer data in an encrypted, unreadable format, a February 2002 attack allowed a hacker to read credit card numbers in clear text, according to the FTC complaint.

But that attack was last year. Is security any better this year? When compared to last year, no one ComputerWorld Canada spoke to had much good to say. The most glowing endorsement was that security is “slightly better.”

CA’s Perry is not that optimistic. Companies “are not better prepared…I will lean toward saying worse,” he said.

The state of the economy is often blamed for this lack of improvement, but this is a rather shallow excuse since security was never high on the list when times were good.

Design it right

Good times or bad, there is still far too much shoddy IT architecture, according to FSC’s Reiner.

Architectures are not well thought out and Internet facing systems are not well designed, he said. One proof is SQL Slammer. The Internet worm spread like wildfire, infecting hundreds of thousands of databases around the world in a matter of minutes, something that should not have been possible, he said.

“It is a really basic oversight to let your database be reachable from the Internet. There is no reason ever, under any circumstances, to expose your database servers to the Internet.” It should be a Web server interacting with the Web, he said. Though admittedly, they too have holes.

Slammer was “proof of concept that someone sufficiently clever could now infect the Internet in 30 minutes or less,” Reiner continued. “It was really the first non-theoretical, non-laboratory worm that was able to do that.”

It was “379 bytes of pure packing power,” WhiteHat’s Slodichak said. “I have sort of been admonished for saying this, but the SQL Slammer worm was a work of art.”

Murphy warned that the next generation of worms will be faster and craftier, able to permeate the Internet in seconds, not minutes, or take a stealth route, remaining undetected for days or weeks until a payload is dropped, effectively rendering defences useless.

Perry argued that companies need to pay attention to security, especially now, since they are much more vulnerable, not specifically to attacks but to the consequences of attacks. “The state of the company across the board is a little more precarious,” he said, so the “impact of a large attack has a (proportionally) larger affect on the bottom line than it did last year.”

Even with all the warnings and stories in the news, change is slow.

“I think there is increasing high level awareness of the risks and the need to take steps but I don’t really think the budgetary floodgates have opened,” Reiner said.

Money aside, now is a good time to address core governance issues around security. Even if there is no budget to buy new solutions companies should, at the very least, invest in hardening their corporate security polices and procedures.

“Increasing education and improving awareness is…something that needs to happen at the business level,” Perry said, but he has seen little evidence of even this rudimentary first stage being taken. This lack of improvement is perplexing since the costs are so low and the returns so high.

The time to change is today, not tomorrow, because hackers and attackers “are adapting as fast as we on the defensive side are,” Reiner said, and in the future a company will need more than just technology to save its fingers from the flame.