What Canadian business says and does when it comes to the issue of IT security are two very different things.
End-user security research by IDC Canada in 2000 discovered what might be termed a “disconnect” between reality, perception and reaction – a situation that probably hasn’t changed much today.
The survey of 200 Canadian business and IT professionals from medium and large companies found 75 per cent of respondents admitting that their companies had been victims of at least one computer virus during the past 12 months. Fully one in four said they were aware of an outside breach or intrusion by a hacker and/or malicious cyber attacker during that same period.
Additionally, IT security ranked as a “very important” concern for more than half the respondents while another 40 per cent ranked it as a “concern.” However, the “disconnect” came in the doing; most of these same respondents reported spending less than 5 per cent of IT budgets on security – hardly enough for most businesses to impose a comprehensive solution.
Those who provide security solutions and services to Canadian business admit that proactive and holistic security has always been a tough sell. CIO Governments’ Review recently discussed the issue with two representatives of Network Associates, a leading security solutions provider: Gus Malezis, vice-president of sales for Canada, and Vincent Gullotto, director of the company’s AVERT anti-virus software labs, focused mainly on private sector businesses – but many of their remarks apply equally to the public sector.
CIO Governments’ review: IT security remains an area of high interest for enterprise customers, arguably high concern, but little investment. Why is that?
Gus Malezis: The short version of the answer is that it comes down to the way IT operations manages its business. They really don’t have a structured methodology for managing the business and identifying cost return investment benefit to the organization. So when the time comes to make decisions on investment in skill, in training and in infrastructure, it becomes a discussion based on anecdotal versus empirical data.
The direct comparison is that if you look outside of IT and the way a corporate enterprise runs its business, they use some type of ERP (enterprise resource planning) application … and there’s a process in place that follows well-accepted, structured guidelines. So they collect a lot of information, operate the business based on those parameters, and the company understands this and when it looks at the end results they have clear, crisp, empirical data, for the most part.
When you switch over to IT, they don’t capture information as well as they need to and they don’t collect trending data that can be used to identify problems. So when the time comes in the new year to do budgets and they need to make certain business decisions for IT, many (companies) are ill equipped to make those objectively and in an informed way.
CIO Governments’ review: So is it an issue of not being able to look at a thing like IT security in a business way?
Malezis: Absolutely. The people that are right now making IT security decisions and security investments are business decision makers and not those from IT. Those from IT might say to business, “Look, we might have a threat or problem here,” and there will be a discussion about what it might cost (the business if it occurs), and the response to that question will be, “It’s hard to really tell.”
How do you make a spending decision based on that type of answer? It’s extremely difficult. If you can attach dollar figures and productivity losses to some of these generic security elements – like virus attacks, breakout, outages, denial of service attacks – then, at the end of the month or the year or the quarter, you can say, “Look, we had these issues and here’s what it cost the company.”
CIO Governments’ review: Are businesses up to the task of IT security? Should they be bringing in outside experts – services companies that may be in a better position and have the skill sets to put in something that’s comprehensive and holistic?
Malezis: Yes and no. I personally don’t feel there are that many experts.
CIO Governments’ review: No, that’s true, but the available experts tend to reside in services companies such as consulting agencies. It’s certainly difficult if not impossible for most regular businesses to hire these experts.
CIO Governments’ review: I would caution that (security consulting) organizations never actually execute a solution. They’ll design a solution, give you something the size of the Yellow Pages telling you, “Here’s what you should do.” I think there’s another fundamental problem. We are still dealing with a niche set of solutions that need a substantial degree of integration. If you think of security, you need anti-virus, software distribution systems, firewalls, VPNs, encryption – a whole lot of things, and you can’t go to a single vendor to get all that.
CIO Governments’ review: Is that part of the problem? That the market around IT security is made of all these niche players and there aren’t enough vendors or companies out there that have the total package?
Malezis: Yes. Most of them are still operating in silos of expertise, and interoperability is an issue. (Security solution companies) have yet to branch out and cover multiple layers of the onion, so to speak. If you think about properly securing your network, not only do you have to (design) the security system that ties into your physical infrastructure, then you have to go and implement it. You probably need to go to as many as eight different vendors to get everything you need, plug all of it together and make it all manageable.
CIO Governments’ review: Is the responsibility for IT security in the wrong hands? Should it be a business or IT concern? Who should have the ultimate responsibility?
Malezis: I personally believe it should be a business responsibility. Just as companies are audited to ensure that they use generally accepted accounting practices and guidelines, they should also be audited to see whether they use generally accepted IT guidelines for things like security – and these do exist. It should be part of the business and ultimately IT (professionals) need to execute whatever policies are established by business decision makers.
CIO Governments’ review: Why is it, then, that by and large the opposite situation exists – that IS seems to have the ultimate responsibility?
Malezis: I think most business decision makers don’t understand a lot of the implications of IT security and it becomes a secondary orphaned child. The Internet (for example) offers a great vehicle for marketing more goods and services at a lower cost, faster and cheaper, but there is risk. We (traditionally) have not seen the elevation of CIOs into the business executive table. We’re now starting to see them at the table, and we ourselves are spending a lot more time in front of, not just CIOs, but CxOs, talking about how they can improve their business. It’s certainly a trend and it has pushed business decision makers to think about IT and how to structure that portion of the business.
CIO Governments’ review: But, if I’m a business guy, I want to know two fundamental things: How can I make money and what can I do to save money. That seems to be a missing link in any discussion of IT security. It’s a concept largely being sold as technology to the IS side and that discussion doesn’t resonate with business. And that’s probably why the IS folks are left to worry about it. Is this a failure on the part of the industry and the vendor community, not being able to sell to the business group?
Malezis: I would say that’s certainly a problem. We don’t talk about ROI (return on investment) in IT security as much as we should. When we talk about security solutions, it’s focused on productivity loss as opposed to productivity gain. We talk about what will happen if your network is down versus what happens when your network is up and running and properly secured. It’s a lot more difficult to capture the latter aspects (in terms) of productivity gain because we are not the individuals running and mapping the business, looking to see what is the potential. We’re a technology solution provider. At the end of the day, that’s what we do for a living. And we try to provide an integrated solution methodology. So the part that we can’t fall back on and articulate is, if your network is down this is your productivity loss.
CIO Governments’ review: Can you help a company, for example, understand the implications of a breach and what it might potentially cost a business? There are a lot of generic stories out there and we all know them, but what seems to be missing is the ability to illustrate what it might cost my company. Can you demonstrate to me as a customer what degree of pain I’m going to experience and what cost implications there are for my particular business? How many vendors have that capability?
Malezis: I don’t think we have a formula to articulate that. I don’t think there’s a well-developed formula available anywhere, whether we talk to vendors, analysts or business people. We certainly have work to do there, to figure that out. When do you install a security system in your home – after you’ve been broken into? Up until that time most people aren’t prepared to act. The other element may be a culture element. Canadians are a trusting society in general compared to other parts of the world. We trust government and expect (them to) do the right things for us.
CIO Governments’ review: On that note, how effectively are governments dealing with IT security?
Malezis: My understanding, as far as Canada is concerned, is that they have without a doubt cemented and formalized the fact that they need to secure desktops. Within the government in Canada you have pockets of absolute expertise and leadership. You also have the opposite side of the spectrum. There are some departments that are totally internally focused – so why would they need exceptional security?
CIO Governments’ review: How coordinated are government IT security efforts? Do different departments and units go off doing their own thing with respect to security?
Malezis: I can certainly comment from my view in terms of what I see. Obviously it’s a question for the government itself. I would say that government security agencies, like National Defence and the RCMP, have their own specific unique plan that is designed and built based on (the needs of) their business, whatever that might be. The other departments, like Statistics Canada or CCRA and so on … have more of a common design in their security infrastructures.
Vincent Gullotto: I can’t comment on the Canadian government … but in the United States, the Department of Defence has taken things like virus control and virus security, for example, very seriously, especially over the past three years. They’ve worked to develop practices and processes in which they can seal an environment if it becomes infected or find ways in which they can prevent infection. One of the ways that we look at outbreak situations is to determine whether a specific entity within the government has been infected. If it has, then we look at the extent of infection and that helps gauge how far a virus will spread in the United States or how far it might spread beyond the United States.
CIO Governments’ review: When you look at the entire spectrum of government, how wide a variance is there in terms of the use of IT security solutions with respect to departments and agencies? I would expect, for example, that defence departments have extremely comprehensive solutions, while motor vehicle departments would be significantly down that scale. I would not expect consistency throughout.
Gullotto: Yes. Generally speaking, the more that government and companies in general have to lose, the tighter and more comprehensive the IT security being utilized.
CIO Governments’ review: Is there a first-things-first approach to creating an appropriate level of IT security? Should a company, for example, impose rules of behavior first before implementing IT security tools?
Gullotto: They should probably start by looking at what other companies in their industries might be doing, and then look at history. History tells us that in the security area, viruses are the biggest problem. So you start by saying, “I need to get a good anti-virus product.” From there…the next problem is hackers and attackers trying to get to you from the outside. So you get a firewall for that. You have to then start working with the people who build your network and assemble the other aspects of security and performance management, to make sure you have an entire package working together.
Malezis: You also need to consider how (IT security is designed and planned). It needs to be planned from a business perspective and always involve IS. They need to work together. Are there well-regarded frameworks for this? I think we’re seeing some. However, are they generally as well developed as other aspects of IT? No – not by a long shot.