Enterprise security should be treated as part of a company’s IT governance policy, where the total cost of security is incorporated into its risk assessment framework, an industry representative claims.

IT security governance lies at the core of IT governance and in turn, an enterprise’s overall governance policy, Symantec vice president, Asia-Pacific operations, Vince Steckler said.

“Security is a risk issue…it has got to be put into the audit program,” he said.

As a result, it is critically important for chief financial officers to be involved in assessing the cost of security – with the CIO conveying information security reports to the CFO who monitors company risk, he said.

“Corporate mangers should bear responsibility for security issues and be held accountable for breaches of security.”

However, Steckler said the fragmented nature of typical “security metrics” used by enterprises today doesn’t give senior management an overall view of their organisation’s “security posture”.

“Security is often 20 separate pieces that don’t talk to each other. Until all are pulled together is it extremely difficult to manage IT security as a governance issue,” he said.

Speaking on the latest global security trends at CIO magazine’s annual conference in Sydney on Tuesday, Steckler suggested several new technologies and network infrastructure areas could be used to trigger increasingly more destructive security attacks. Potential targets include Wi-Fi infrastructure, Web services, the Internet backbone, instant messenger and P2P services, grid computing and physical infrastructure, such as the Supervisory Control and Data Acquisition (SCADA) network control systems used by utility companies.

He also painted a grim picture of how companies could cope with the current wave of “flash” threats, saying it was impossible to counter critical infrastructure attacks and massive worm-driven denial distribution of service attacks with human or even automated responses.

For example, a “day-zero” threat, which exploits a previously unknown and therefore unprotected vulnerability, would be impossible to prevent through human response, he said.

Steckler divided potential malicious code strategies into three categories: sensing strategies, reactive protection strategies, and proactive protection strategies. These ranged from protocol, anomaly detection and distributed sensor networks, to proactive strategies such as generic exploit blocking, network and host intrusion prevention and adaptive security.

Steckler said most companies have implemented a “reactive” security policy, rather than a proactive one. While it is important to learn from what’s happened in the past, Steckler alluded to general security metrics such as an awareness of previous security exploits, and incidents, surveying security trends, and financial measurements of the cost of security as key factors for enterprises coming to grips with their security management policy.

On a more general note, Steckler reported IT vulnerabilities were on the rise. According to figures from BugTraq, new vulnerabilities for 2003 are being detected at a rate of 70 per week. In contrast, in 1999 an average of 10 new vulnerabilities were discovered a week.

In addition, Symantec’s most recent Internet Threat Report, conducted over the last six months of 2002, found companies surveyed had suffered an average of 32 validated attacks per week.