• Chief Information Officer
• C#ASP.NET Developers
• Business Analyst - Integration
• Project Manager
• Project Manager - Telco

Profile: Security demands cultural change

ACS, Information Age

14/10/2003 12:27:06

For corporations to accept that the security is a routine business cost, there needs to be a significant cultural change in managerial thinking. Security needs to be accepted as part of the cost of doing business.

"In the same way that everybody came to accept seatbelts as second nature once educated in the dangers of driving without them, so business must come to realise that just paying lip service to security can lead to fatal disruption," says Vijay Varadharajan, Professor in Computing at Macquarie University and ACS Technical Board Director.

Recent events have hastened community realisation of how disruptive viral attacks and hacker intrusions can be, but decision-makers have yet to translate their concerns into action by devoting management and financial resources to securing their enterprises.

While there has been exponential growth in management awareness of security as an issue, it must move further towards setting strategic policies and practices in risk assessment, procurement of security technology and recruitment of competent practitioners to implement strategies.

"While virus fire fighting by continual patching and so forth will go on, there has to be a much wider cultural change to approach security from a preventive perspective, rather than merely reacting to events.

"Security will always be a race and there can always be opportunities for failure, given the difficulty in trying to predict specific threats. While security technology is continuously advancing and is generally keeping pace, and evolving standards are bringing some stability to systems and applications, management must engender a high level of consciousness across the enterprise."

Management has to accept that security is a cost of doing business just like brand development or providing worker entitlements he says, and has to be given the same level of commitment in planning and execution.

Security is a business enabler, a core business process requiring all key stakeholders to contribute to setting strategies for prevention and recovery.

Continuing risk assessment, for example, must be a formal process so that security can be applied at the appropriate levels as a business's particular circumstances change, and varying threat levels are perceived, to ensure a best fit over time.

"The fact that decision-makers are thinking about security - and they weren't before - is a step in the right direction, but they must translate this awareness into action by devoting the required dollars to it."

But establishing procedural change, particularly in the recruitment of security practitioners, requires care in ensuring the necessary levels of competence are in place.

"While the industry is sorting out the men from the boys in this regard, there are still opportunists out there, cowboys if you like, who seize upon this heightened awareness without the required breadth and depth of skills and experience required.

"There is not yet a properly established certification process, a competency yardstick if you like, to give recruiters sufficient confidence in their selection process, but it's an issue which is recognised and being addressed at industry level. This is becoming an increasingly urgent issue, which is not only helpful for the industry as a whole but also for employers and professionals

Similarly there needs to be more consistency across security vendors' offerings if business is to be able to develop comprehensive solutions; there is a multiplicity of ways to implement a security strategy but the task is not made easier by a lack of interoperability between systems, let alone between security technologies.

"Security cannot just be vendor-centric, it's a holistic process."

Strategy development must be escalated to become a governance issue, taking it beyond the levels of responsibility ascribed to the company security officer (CSO) role which has gained popularity over the last couple of years.

"The CSO role is all encompassing from the operational side securing physical assets to everything and anything. I think time has come to think of security both in the context of strategic issues and operational issues, with a clear presence in the decision making at the management level related to core business functions. It is significant to note that in companies such as Microsoft, there has been some systematic thinking done in this area to create roles such as chief security strategist and privacy officer.

He sees strategy development beginning at the convergence of the business requirements, technology and legal considerations such as privacy and ethics. An effective enterprise-wide strategy will need to bring these three aspects together.

"There are ethical issues and these must be recognised as such and addressed. Corporations can take a dictatorial or democratic approach to the question but the answer lies in achieving a balance. It is part of management and its style to find the right balance which is consistent and based on common sense through effective consultation.

"It's another facet of this growing awareness of security and privacy, and like others, has to be taken into proper consideration."

In the broader view of things, we need to take appropriate measures to identify threats and counteract threats. This needs to be done by bringing together a range of things such increased understanding of the various technologies and how they work, a greater involvement of security strategic thinking as senior management level, a greater integration of business processes and security requirements, and greater cooperation among governments, corporations and agencies in controlling the propagation of attacks.

While these are happening on the technology and business fronts, there is also a need to coordinate international legal frameworks and structures in parallel to ensure consistency and effectiveness.

“As a final remark, I would say a fundamental issue of many of the above is trust. Trust is a complicated thing. It has multiple dimensions: technological, business, social and legal. Trust is the basic foundation of security and privacy. It is key to doing business and security technologies need to provide mechanisms and techniques to establish such trust. It is one of the fundamental technological challenges that we need to address in this era of pervasive mobile networked computing.”