Keys to effective security

Security is a process, not a state. CIOs need to ensure that their enterprise has the right balance between security risks, dollars and defences.

Decades ago, a reporter asked the notorious American bank robber Willie Sutton why he robbed banks. He replied, “Because that’s where the money is.” Now the money (and valuable information) is in computers and computer networks.

The events of September 11, 2001 have exacerbated fears of “cyber terrorism,” but even before those attacks, the trend in computer crime was up at all levels – from vandalism to for-profit crimes.

My EXP colleague, Richard Hunter, author of the insightful and controversial book ‘World Without Secrets’, recently headed a team working on the challenge of ‘how much information security is enough?’ They concluded that people and process are the biggest issue, not technology.

Here are some things to keep an eye on.

Insiders are the biggest threat

Historically, insiders have been responsible for the vast majority of loss-bearing digital security breaches. Such losses can’t be eradicated, but they can be reduced by scrutinizing staff.

Know and verify a person’s background. In 1994 the American Cancer Society of Ohio hired an employee with three undisclosed felony convictions for theft and fraud. By 2001 that employee had risen through the IS department to become CFO and had stolen $US 7 million.

Train personnel to be aware of security policies and their responsibilities. Repeat the training regularly. Ensure that security policies are being properly implemented.

Tie access rights to defined roles or positions. Set explicit and public limits, monitor and follow up with investigations when limits are exceeded.

Draw on specialist security organizations to provide advice and support.

Implement a formal security policy

A security policy is a set of business rules that represent the enterprise’s tolerance for risk and the security measures that enforce that stance.

Policies should be based on industry standards, such as COBIT or ISO 17799.

Evolve the security architecture

Enterprise security has historically been based on the “fortress” model: static and undifferentiated, difficult to change, location-specific and reliant on a very few mechanisms (strong walls and a locked gate).

The emerging “airport” security model is more flexible and situational, with multiple zones of security based on role.

Point-to-point “dynamic trust” is the future model for a highly networked world. It requires point-to-point authentication and trust, from any user on the network to any other user.

All three models are responses to specific risks and eras. The fortress worked in the mainframe era. The airport model works for most enterprises now. The point-to-point model is required for a world where high levels of commerce are conducted wirelessly, anywhere, anytime.

Measure security effectiveness

Without metrics, enterprise digital security runs blind. Measures should include types of attacks (both successful and unsuccessful), perpetrators (if known), targets of attacks, effectiveness and per-incident cost of defences and losses attributed to attacks.

Balance risks and defences

First, analyze targets and threats. Identify and value the assets that may be at risk – business processes, markets and databases – in terms such as loss of revenue or market share. Translate intangibles, such as loss of reputation, to economic terms by estimating the effect on sales and retention, regulatory penalties or fines.

Second, calculate the annual risk for each attack scenario. The result of this phase is a prioritized list of your risks.

Third, identify a prioritized set of risks and how these can be addressed.

Track industry spending norms

Industry norms for security spending and staffing provide an initial sanity check on total defence costs. Gartner research forecasts that industry-wide spending on security will grow to 5.4 per cent of IT budgets in 2003 (from 4.3 per cent in 2002 and 3.3 per cent in 2001).

Continuously monitor security arrangements

By the end of 2004, Gartner believes that 75 per cent of enterprises will be required to provide security status information to multiple government agencies. Enterprises with immature security programs will spend up to 15 per cent of their security budget to comply.

Even absent regulatory requirements, Gartner estimates that the cost to mitigate the damage from a successful attack is at least 50 per cent higher than the cost to prevent it. It’s best and cheapest in the long run to develop a capable program before being forced to act by legislation.

Dr. Marianne Broadbent is Group Vice President and Global Head of Research for Gartner’s Executive Programs.