[ISN] Security Gets Top-Level Attention

From: InfoSec News (isnat_private)
Date: Wed Sep 17 2003 - 01:21:53 PDT

  • Next message: InfoSec News: "[ISN] Windows Patches and the Dial-Up Problem"

    Tom Stein 
    Sep 16, 2003 
    Akhil Bhandari, VP of IT at CCL Industries Inc. in Toronto, has
    noticed an interesting trend. Lately, members of the executive team
    have been sending him E-mail about viruses, security breaches, and
    acts of cyberterrorism they've read about in the news. These
    executives-including the CFO, COO, and even the CEO-just want to make
    sure the $1.2 billion contract manufacturer of popular consumer
    products is adequately protected.
    "Security is certainly more of a discussion point among executives
    these days," Bhandari says. "More than ever, I have to keep our
    executive team abreast of what's happening out there and what we need
    to do about it."
    Bhandari isn't alone. A recent survey of 815 business-technology and
    security professionals, jointly conducted by Optimize and
    InformationWeek, found that senior executives are taking a greater
    interest in information-security issues and having a stronger say in
    how security dollars are spent.
    Some 46% of respondents said the CEO, president, or managing director
    sets spending for information security. That's a lower percentage than
    in previous years, which may be because many companies are setting up
    committees to help direct security spending. A growing number are also
    hiring chief security officers who manage the security budget. AOL
    Time Warner Inc. and Sun Microsystems Inc. are among the high-profile
    companies that have made chief security officer hires in the past
    year. According to Meta Group, only about 30% of Fortune 1000
    companies have a chief security officer or equivalent, but 95% say
    they need to hire someone in that role.
    High-level input
    Not only high-profile news events are capturing executives' attention.  
    The security spotlight is also on a slew of new federal and state
    regulations-such as the Sarbanes-Oxley Act of 2002, California's
    Security Breach Notice Law, and the Health Insurance Portability and
    Accountability Act (HIPAA)-that are dramatically affecting the way
    companies handle customer information. Executives are becoming more
    proactive in making sure their companies comply. Moreover, the rise of
    Web services and business collaboration has generated more vigorous
    discussion about security and concern about critical data falling into
    the wrong hands-or worse, being compromised by business partners.
    Significantly, more than half of the survey respondents said
    regulatory requirements are the primary drivers of new investments in
    information-security products and services. Other reasons cited
    include potential liability/exposure (70%), potential revenue impact
    (41%), and partner/vendor requirements (24%).
    Bert Reese, VP and CIO of Sentara Healthcare, which operates six
    hospitals and offers health-care coverage to 300,000 members, says
    until this year information-security issues failed to reach the
    executive suite. Senior-level management never gave much thought to
    issues such as intrusion detection and disaster recovery, he says;  
    they simply entrusted him to take care of those things. But the new
    HIPAA regulations and other compliance issues suddenly have the
    corporate suites buzzing with interest.
    Gene Fredriksen, VP of information security at financial-services firm
    Raymond James Financial, believes some of his peers still need to do a
    better job of marketing their security organizations. For example,
    they could demonstrate how better security lets the company safely
    open up some of its systems to customers and business partners over
    the Internet at a fraction of the cost. In the past, whenever security
    people needed more money, they would scare the CEO with a litany of
    horror stories, Fredriksen says. But in lean economic times, that
    approach won't work. To be successful, security officials must talk
    the language of business.
    "They must identify risk and also quantify the potential damage to the
    business and propose a budget," he says. And they have to educate
    senior executives about the latest happenings on the security front.
    To that end, Fredriksen publishes a monthly newsletter for board
    members and executive management. He uses graphics to underscore
    high-, medium-, and low-level attacks identified by the firm's
    intrusion-detection system. He also tracks firewall breaches and virus
    infections. The newsletter contains brief articles on emerging
    security trends and legislation to keep senior executives abreast of
    the big stories even before they reach the major newspapers. By
    keeping his senior executives educated-and hitting them with the right
    message at the right time-Fredriksen has managed to incrementally
    raise the security budget in relation to the overall IT budget. This
    year, the company will spend more than $1 million-almost 5% of the
    overall IT budget-on security initiatives, putting the company in the
    top 15% of respondents.
    Some companies pay a high price for not adequately investing in
    security. Survey participants reported that breaches result in
    compromised information confidentiality (13%), loss or damage to
    internal records (7%), lost access to customer records (7%), and
    compromised customer records (5%). However, these are minor when
    compared with the loss of business applications (49%) and network
    unavailability (45%). Only a handful of companies admitted to being
    hard-hit financially by information breaches or espionage. Half of the
    sites surveyed reported losses less than $100,000. Nearly a third
    reported no dollar losses attributed to security attacks.
    ECMD Inc., a $100 million manufacturer of building components for the
    housing industry, needs to guard against industrial espionage and
    protect its systems from potentially malicious or nosy employees. To
    date, the company hasn't come under serious attack, but hackers have
    broken into its Web sites and engaged in general vandalism. "We don't
    keep any sensitive data on our Web sites, so the loss wasn't
    significant," says VP of IT Steve Brown.
    CCL Industries has also come under hacker threats. The company engages
    in online commerce with business partners and suppliers. To ensure the
    integrity and security of its mission-critical data, CCL has
    established a stand-alone collaborative commerce platform that's fed
    information from CCL's internal ERP and E-commerce systems. As a
    result, suppliers can log on to the platform, but can't update any
    records or see anything that CCL doesn't want them to.
    Network firewalls and virus-detection software are the tools primarily
    used to keep systems free of security breaches. Virtual private
    networks continue to grow in popularity: Fully 71% of sites report
    using VPNs to protect operations in 2003, compared with 58% in 2002.  
    Private encryption is also gaining.
    One big challenge is striking the appropriate balance between the need
    for security and its cost. Indeed, survey respondents reported that
    capital expense was one of the most significant barriers to effective
    security in their companies (44%). Other obstacles include the
    increasing sophistication of threats (49%), lack of time (37%), lack
    of qualified staff (31%), and complexity of the technology (24%).  
    Another 24% cited lack of management support, which means that while
    security is gaining stature in some organizations, it's still an
    afterthought for many.
    Victor Wheatman, managing VP of research firm Gartner Inc., says most
    companies still don't think about the cost of security before they
    build or implement new systems. He estimates that adding proper
    security raises the cost of application development by 30%. "Too many
    companies rush ahead and forget about security," he says. "And then
    they get a big surprise after the system is up and running, and they
    realize they now have to factor in security."
    In one case, ECMD's Brown, along with his senior executives, decided
    to abandon an online initiative with a particular partner because,
    among other issues, security costs were too high and simply outweighed
    any potential benefit. "Security absolutely plays a role in
    determining whether we partner with a certain vendor and whether it's
    worth the extra cost," he says.
    One solution is to outsource information-security services to a third
    party, much as companies do security guards. But the trend is still in
    its infancy. Only 17% use outside firms to host security systems. Most
    want to outsource systems implementation, strategic consulting,
    integration, and technology transformation.
    The onus remains on IT and security professionals to educate upper
    management and encourage participation in security planning. "If there
    is no awareness of risk at the executive level," Fredriksen says,
    "security will not receive the level of funding it deserves."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Sep 17 2003 - 04:00:59 PDT