Group makes CAIS for security

Owing to the rising concern surrounding the security of corporate information in Canada, an Ottawa-area organization is attempting to form a new group to better address the issue.

A proposal from Kanata, Ont.-based Communications and Information Technology Ontario (CITO) in April sought input on the idea to create an organization dedicated to information security, and according to the person in charge of discovering such an organization’s feasibility, the final report will be ready in mid-October.

Stafford Tavares, professor emeritus at Kingston, Ont.-based Queens University, said that two meetings have been held – one in Ottawa and one in Toronto – to discuss the proposed Canadian Association for Information Security (CAIS).

“My task as I saw it was to explore the feasibility and the benefits of creating such an organization and then perhaps to recommend some of its roles when I report to CITO after doing a little bit of consulting and thinking with the community,” Tavares said.

CITO envisioned that CAIS would accomplish a number of important goals in the area of information security awareness, such as assisting in identifying security issues as they emerged; promoting and developing the Canadian security industry; advising governments on security issues; providing education on security technology and social issues; promoting security education at post-secondary institutions; and offering short security courses.

“It’s an interesting issue as to exactly what the association should do, but there was a feeling that maybe there was a need for (such an organization),” Tavares said. Security concerns are growing in importance and will continue to grow as businesses become more and more reliant on technology like the Internet and corporate networks, he added.

The consultations for CAIS should be concluded in mid-October with the filing of the official report, Tavares said. At that point in time, Tavares will give his recommendations on whether or not CAIS should be formed and, if he recommends its creation, suggestions on what some of the organization’s roles should be. The meetings took place in May and June, but Tavares said he is still looking for comment from the information security industry.

He added that involvement is not limited to firms specializing in security because every company has an interest in securing its information. He said that if CAIS forms, he could see companies in all areas that need to secure their information becoming involved – everything from banks to companies specializing in electronic transactions to governments to companies that need to protect customers’ private information.

A sampling of security professionals and government representatives were invited to the two meetings and when the meetings were over, Tavares said he had the feeling there was a need for the organization but that it should not be repeating what has come before.

“There is a role for such an organization if we get it right,” he said.

According to Kelly Kanellakis, director of technology for Enterasys Networks Inc. in Toronto, the proposed organization’s idea of promoting the importance of information security is a good one.

“One of the things that I would see value [in] is if they could set up a best-practices model for organizations,” Kanellakis said. He added that companies are currently plotting their own course in terms of security, but it would be helpful to them if there was a model that stated they need to implement certain security policies, what technologies are necessary, what precautions should be taken and what they should be concerned about.

Kanellakis said that if CAIS gets off the ground, it is an organization in which Enterasys would consider becoming involved.

According to Dan McLean, director of enterprise networking services research at International Data Corp. (IDC) Canada in Toronto, CAIS will have to get focused for it to be of any help to anybody.

“Security is like saying ‘Computing’. It’s a big topic,” he said. He added that all industry groups are well-intentioned, but he said CAIS’s best bet might be to build themselves as a business group supporting security as a business practice. Too often security is thought of as a technology concern and not as a business concern, he said.

With the exact nature of the association not fully defined, McLean said there could be potential problems if the group’s members are a mix of security vendors, businesses and users.

“If it’s a business-vendor group, then I’d be a little more skeptical about how long this group might survive,” he said. McLean noted that in those types of groups, businesses and users get concerned that vendors are there to dig up business and not to listen and discuss industry concerns.

CITO can be found on the Web at