A combination of increased IT and physical security threats and new regulatory requirements is transforming the manner in which security functions need to be viewed, implemented and managed, said attendees at the SecurIT 2003 Summit in Phoenix, Arizona this week.
For instance, it's becoming increasingly important for companies to look at IT and physical security threats from a unified risk-management perspective, said Dennis Treece, director of corporate security at the Massachusetts Port Authority in Boston.
As one of the executives in charge of securing Boston's Logan International Airport, plus three seaports and a major toll bridge, Treece is focused primarily on physical infrastructure protection. But he also oversees the IT side — for example, sitting in on all meetings regarding the implementation of a new Gigabit Ethernet LAN at Logan.
Such unified oversight of security functions is not only necessary but inevitable, Treece said. "At the end of the day, the board is going to see no difference between network and physical security. There's going to be a single security budget line item. It's all the same risk," he added.
The need to comply with emerging data privacy regulations and other laws also means that IT security organisations will have to collaborate better with corporate legal, audit and human resources departments, according to Robert Degen, senior vice president of corporate security at First Data in Denver.
Such alliances will become crucial in securing the money and support needed to implement enterprisewide IT security approaches, Degen said. "You can't go it alone like a Don Quixote," said Degen, who, like Treece, oversees both IT and physical security. Degen reports to First Data's chief auditing officer, an arrangement that he said has helped to keep security a top issue at the board level.
Jude Ogunleye, a systems administrator at Cascade Natural Gas in Seattle, said he's thinking of having the company's network tested and analysed by a third party to highlight weaknesses that could be exploited. The idea is to demonstrate "how much money you can lose with a downtime," Ogunleye said.
While getting funding for IT security initiatives is easier than it was a few years ago, "a business case for information security will most likely still have to be made in almost all organisations if drastic changes in funding or staffing are expected," said Jason Witty, director of global security architecture at Aon Services, a subsidiary of the $US8 billion Aon in Chicago.
To get upper management's approval for the resources needed to secure systems, Witty recommended giving demonstrations showing how easy it is to compromise data, explaining regulatory requirements and presenting internal measurements that depict infosecurity problems needing to be solved.