[ISN] Corporate IT risks and physical threats are changing security deployment

From: InfoSec News (isnat_private)
Date: Thu May 22 2003 - 22:22:01 PDT

  • Next message: InfoSec News: "[ISN] Secunia Weekly Summary"

    http://www.computerworld.com/securitytopics/security/story/0,10801,81444,00.html
    
    By JAIKUMAR VIJAYAN 
    MAY 22, 2003
    Computerworld 
    
    PHOENIX -- Growing IT and physical risks and emerging regulatory 
    requirements are transforming the manner in which security functions 
    need to be viewed, implemented and managed, said executives at the 
    SecurIT 2003 Summit here this week. 
    
    For instance, it is becoming increasingly important for companies to 
    look at IT and physical threats from a common, unified risk-management 
    perspective, said Dennis Treece, director of corporate security at the 
    Massachusetts Port Authority in Boston. 
    
    As one of the executives in charge of securing Boston's Logan 
    International Airport, three seaports and a major toll bridge, Treece 
    is focused primarily on physical infrastructure protection. But he 
    also oversees the IT side as well, sitting in, for example, on all 
    meetings regarding the implementation of a new Gigabit Ethernet campus 
    LAN at Logan Airport. 
    
    Such unified oversight of security functions is not only necessary, 
    but inevitable, he said. "At the end the day, the board is going to 
    see no difference between network and physical security. There's going 
    to be a single security budget line item. It's all the same risk," he 
    said. 
    
    The need to comply with emerging privacy regulations and other laws 
    also means that IT security organizations will have to collaborate 
    better with other corporate functions such as legal, audit and human 
    resources, said Robert Degen, senior vice president of corporate 
    security at First Data Corp. in Englewood, Colo. 
    
    Such alliances will become crucial in securing the money and support 
    needed to implement enterprisewide security in future, he said. 
    
    "You can't go it alone like a Don Quixote," said Degen, who, like 
    Treece, oversees both IT and physical security for First Data. Degen 
    reports to First Data's chief auditing officer, an arrangement that he 
    said has allowed security to remain a top issue at the board level. 
    
    It is crucial for security executives to be proactive in overcoming 
    notions of security as an expensive and non-revenue-generating 
    function, users said. And that means being able to put a dollar value 
    on risk as much as possible, especially at a time when IT spending 
    overall has been considerably tightened, Treece said. 
    
    Jude Ogunleye, a systems administrator at Cascade Natural Gas Corp. in 
    Seattle, is thinking of getting his company's network tested and 
    analyzed by a third party to highlight weaknesses that could be 
    exploited in future. The idea is to demonstrate just "how much money 
    you can lose with a downtime," he said. 
    
    While getting funding for security initiatives is easier than it was a 
    few years ago, "a business case for information security will most 
    likely still have to be made in almost all organizations if drastic 
    changes in funding or staffing are expected," said Jason Witty, 
    director of global security architecture at Aon Services Corp., a 
    subsidiary of the $8 billion Aon Corp. in Chicago. 
    
    That means "companies need to understand their risks, prioritize them 
    based on their corporate risk tolerance and then craft budgets and 
    plans to both manage those risks appropriately and to measure how well 
    the risks were handled," he said. 
    
    The use of statistics, live demonstrations showing how easy it is to 
    compromise data, recitation of regulatory requirements, presentation 
    of internal metrics and measurements that depict infosecurity problems 
    that must be solved are all ways of securing what is needed for 
    security, he said. 
    
    To get upper management's approval for the resources needed for 
    security, Witty recommended using statistics, giving demonstrations 
    showing how easy it is to compromise data, explaining regulatory 
    requirements and presenting internal measurements that depict 
    infosecurity problems that must be solved. 
    
    The value of clearly articulating security concerns at high levels is 
    crucial, Degen said. First Data's infosecurity team, for instance, 
    managed to persuade management of the need to build "firebreaks" 
    between the networks of several of the companies it has acquired over 
    the years. The security measure was approved even though it ran 
    somewhat counter to the company's corporate goal of building a 
    seamless and unified network. 
    
    "Security organizations will need to be in the face of senior 
    executives and board members in the near future," said Bruce Azuma, 
    corporate director of IT at Wilbert Inc., a holding company in the 
    funeral services and industrial plastics businesses. The heightened 
    awareness about IT and physical risks has broadened the company's 
    approach to security. 
    
    Instead of virus protection and network management, the focus these 
    days is more on intrusion prevention, physical security and disaster 
    recoverability. Security executives "need to be reminding high-level 
    folks of the business exposure they have if tight security measures 
    are not taken," Azuma said. 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri May 23 2003 - 00:30:05 PDT