[ISN] Risk management seen as key to IT security

From: InfoSec News (isn@private)
Date: Thu Mar 11 2004 - 22:59:40 PST

  • Next message: InfoSec News: "[ISN] Secunia Weekly Summary - Issue: 2004-11"

    http://www.computerworld.com/securitytopics/security/story/0,10801,90987,00.html
    
    By Kathleen Melymuka 
    MARCH 10, 2004 
    COMPUTERWORLD
    
    PALM DESERT, Calif. -- In IT security, emotional reactions, panic and
    legislation are counterproductive. But intelligent risk management can
    enable organizations to face an uncertain future optimistically.  
    That was the message from Merrill Lynch & Co.'s security chief to
    attendees at Computerworld's Premier 100 IT Leaders Conference here
    yesterday.
    
    David Bauer, first vice president and chief information security and
    privacy officer at Merrill Lynch, gave his audience a historical
    perspective on the evolution of IT security, starting with the Morris
    worm attack of 1988. That attack took the Internet by surprise, he
    said. There were no tools to fight back and no source of reliable
    information. Responses were uncoordinated, and the result was
    "complete havoc," Bauer said.
    
    He contrasted that with the Mydoom attack last month, when Merrill
    Lynch combined good tools with a coordinated and carefully planned
    response to understand and contain the threat after just one
    infection. That attack, he said, was "just another event."
    
    "The difference between then and now is tremendous," Bauer said, "and
    preparation is the key." Preparation requires a focus on risk
    management, intelligence-driven prevention and response, security at
    the data-object level and a focus on both the corporation and the
    individual consumer of technology.
    
    "It's easy to get somebody's password, so make the damage that can be
    done by an individual as small as possible," he said.
    
    Bauer also suggested that, since IT security is fundamentally a
    technology problem, it should be handled within the IT operation.
    
    Merrill Lynch's IT security strategy is built around strong
    organization; threat management, including intelligence, planning and
    instant response; comprehensive security services; attention to public
    policy, including active attempts to educate legislators; and agile
    response to the changing risk environment, he said.
    
    A key component of that strategy is dynamic risk assessment. Using
    tools such as scanners, log analysis, risk metrics and asset
    inventory, Merrill Lynch's security group produces a biweekly security
    brief analyzing and prioritizing current threats. "That allows us to
    go from a circle-the-wagons approach to intelligent risk management,"  
    Bauer said.
    
    In response to audience questions, Bauer said that as a percentage of
    the IT budget, Merrill Lynch's security service costs less than that
    of any competitors. "It's not about how much you spend but how well
    you spend it," he said. "We're not making vendors rich, but if we buy
    something, we use it."
    
    He also noted that about half of his spending is advisory, helping the
    company build secure systems, while the rest goes toward risk
    management, prevention and response.
    
    Bauer addressed the problem of legislation, which he said drives up
    costs and takes resources away from actual risk mitigation. "Part of
    our strategy is our Legislative Watch," he said. "We try to keep ahead
    of legislators and influence them, if not to cancel legislation at
    least to word it properly." He urged all corporations to do the same.
    
    Looking ahead, Bauer predicts that the threat picture will be
    "interesting." But with defenses built around thoughtful planning, he
    said, "I'm optimistic about our chances for success."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Mar 12 2004 - 01:33:11 PST