Hardware and perimeter defences will not protect an organization from a vengeful or greedy hacker, according to Steven Branigan, former Bell Communications senior systems engineer and founding member of the New York City Electronic Crimes Task Force.
"Internal employees, like those who are disgruntled, are more likely to be seeking revenge and the only way to mitigate against that potential threat is through policy; technology will never solve the problem for computer and cyber security - although it is an important factor," Branigan told delegates at the AusCert conference yesterday.
At the Department of Education, Science and Training, IT is using a roadmap that combines proposed policy frameworks with technology now available in the market.
The department's IT security director, Glenn Peisley, said technology and policy need to match.
"You can have the best policy in the world, but if you are manually going through your log files you'll never catch anyone effectively or put the task in perspective," he said.
"But it all means absolutely nothing unless I can demonstrate that internal security investment to the executive and this means regular reporting on disaster recovery test plans, risk register reports and disaster recovery plans ... You have to try and get that reporting back into the management psyche effectively, because as soon as you stop it falls off the radar, and soon after that funding support starts to drop too."
Peisley said the department is looking at developing spreadsheets as a way to quantify risk to executives and show the return on investment for security - which amounts to giving executives dashboard metrics so they can keep track of security investments and projects.