Shared knowledge key to security success

Bayerische Landesbank’s senior leaders felt they had one of the best possible contingency plans in place to meet potential disasters or emergencies. The loss of life in the Sept. 11 terrorist attacks highlighted a gaping hole in that plan, according to David John, the New York-based bank’s vice-president and CIO.

“Without personnel, without staffing, what good is a disaster plan?” he asked an audience of IT leaders at Computerworld’s Premier 100 conference in Palm Desert, Calif.

Sept. 11, along with the Nimda and Code Red worms, moved information security to the top of the priority lists of most businesses. Many still aren’t addressing it systematically, and they won’t until they band together – even with their competitors – to share knowledge and guard against real worst-case scenarios, said panel moderator Eddie Schwartz, senior vice-president and chief operating officer at Guardent Inc., a Waltham, Mass.-based information security firm.

The frustration felt by many IT leaders was highlighted by an informal interactive poll taken during the conference session: While 80 per cent of attendees said security has become one of their top priorities, only eight per cent said their security budgets are appropriately funded.

Risk assessment, education and training are more critical to information security than high-cost systems, said panelists.

“You don’t need to throw technology at this,” said Russ Lewis, executive vice-president and CIO at GFInet Inc., an online trading company headquartered just six blocks from the World Trade Center site in New York. “Just be prepared. Go back to the old Boy Scout adage.”

Lewis said that after the attacks, the number one hole in GFInet’s disaster recovery plan was its vendors.

“Before Sept. 11, security was always seen as our problem,” said Lewis. “We always chose functionality” over security when choosing vendors, he said. Now the company questions whether vendors will be around during a crisis and if GFInet’s data will be secure in their systems.

GFInet’s primary telecommunications vendor was Verizon Communications, said Lewis. The company also had contracts with WorldCom Inc. and General Electric Co. Without them, “we would have been dead,” he said.

The growing trend within IT departments to simplify systems and cut back on the number of vendors they use could be a mistake, said Lewis. Instead, he suggested diversifying vendor communities.

“Triage your systems, and triage your vendors,” Lewis said, adding that he chose more expensive vendors because they had better security processes in place. “Know who you depend on for what.”

Howard Schmidt, vice-chairman of President Bush’s Critical Infrastructure Protection Board and formerly chief security officer at Microsoft Corp., suggested centralizing information security management but decentralizing execution. That way, everyone knows what to do, but there’s someone at the center controlling everything, he explained.

Training and education are also critical. “You fight like you train,” Schmidt said.

Schmidt said that the Information Sharing Advisory Councils (ISAC), which were created so business and government can quickly share security threats and information to protect the nation’s critical infrastructures, have been so effective that they’re being expanded beyond the original seven focus areas. And he stressed that those ISACs can help businesses self-regulate rather than have security regulations imposed by government.

In terms of security, Schwartz also offered the following advice to IT leaders:

    Simplify system configurations. There are so many moving parts in IT, but “it’s got to be simpler,” he said.
    Educate employees about information security. Everyone knows not to open e-mail attachments, but they still do it. Employees still log into company systems from their unprotected home Digital Subscriber Line connections. People need to better understand the implications of such actions, he said.
    Make sure software patches are applied frequently. “As long as we have humans writing code … we’re going to have to deal with patch management,” he said.

Mack Hicks, senior vice-president of Charlotte, N.C.-based Bank of America Corp., said executives need to change the old stereotype that information security is a dead-end career in order to get effective leaders to take charge of security. He suggested that companies make it clear those managers can move in and out of information security jobs and that it’s a dynamic field that can advance their careers.

Schwartz also advised companies to honestly assess the threats to their organizations, both internally and externally, and the value of their assets. For instance, if companies don’t need to have 99.999 per cent uptime on all systems, that shouldn’t be their goal, he said.

These are questions that need to be addressed because they’re not going away, said Schmidt. Schwartz added that he believes that the world hasn’t even begun to witness the scale of future cyberattacks and that there’s already empirical evidence that terrorists are probing corporate systems.

“I think security will stay in the top three [priorities] forever,” he said.