According to the 2002 Australian Computer Crime and Security Survey, 70 per cent of Australian organisations increased their expenditure on information security in the 12 months prior to the study being conducted. The survey was produced jointly by AusCERT, Deloitte Touche Tohmatsu and the NSW Police Service, and its findings may well reflect how prominent security has become in the minds of chief executives and boards, especially since September 11, 2001. However, to be effective the right person, at the right level in the organisation, needs to be in charge of information and systems security, and this has not always been the case. In the late 1980s and early 1990s, a manufacturing company in Australia decreed that information security should be taken out of the hands of the IT department as it was considered to be a case of the fox guarding the chicken coop. If the reasoning behind this was flawed to begin with, the consequences were pitiful. A succession of unqualified and unsuitable “redeployees” ended up being appointed to the new position of corporate security officer, primarily because the company couldn’t find anything else for them to do. A power game developed between the heads of business units and IT as to who could access what, how and when; and the end result was cumbersome and ineffectual processes that impeded both IT personnel and end users in doing their jobs. That may be an extreme example, but while whoever is in charge of IT security need not necessarily sit in the IT arena (see “Inside or Out”, page 128), most would agree that the incumbent does need some technical grounding, given the complexity of the technology involved. This is very much the view of Stephen Srede, information security manager for AMP Financial Services, whose background is in networking and programming. “My background is technical, so I understand the way things fit together and I think it is very important to have someone in the team who has a really good technical understanding and knowledge of how things work from the ground up. It does seem to vary a lot, though; some people come from an audit background and some people come from a more management oriented background,” Srede says. Srede’s team of four is responsible for information security across Australia and New Zealand. Principally, this is for AMP Financial Services, he says, but they also work with other companies within the AMP Group. The role is a full-time one for Srede and he believes most large organisations these days do have at least one full-time person dedicated to information security, if not a team as in his case. According to Srede, he and his team set security policy in conjunction with the business. Other duties include analysing and evaluating what security-related technologies need to be in place, such as firewalls and intrusion detection systems, and where, acting in an oversight capacity, procedures are working correctly and investigating anomalies. He considers viruses still to be the biggest threat to AMP’s security. “Although the threat of hacking receives more press and is on the increase, and internal threats such as fraud are always a risk, viruses are the most disruptive to the organisation,” he says. “If a virus comes through and the [appropriate] infrastructure is not in place and up to date, the cost is easily measurable as being very large.” Prior to joining AMP in February 2002, Srede held a similar position at Optus for three years. Although he says he operates fairly independently within AMP, he and his team report into the architecture area of AMP’s IT organisation, and he thinks this works well. “Different people have different recommendations as to where security should fit in. Some say it should sit outside of IT and report up to the CEO through an area like risk management. That was how it was at Optus for a while, but I don’t think it makes that much difference as long as you have good management support. Where that support is lacking is where the reporting lines would make more of a difference because you’d need to wield some weight around. But in AMP we have pretty good support, so we could really be anywhere,” he says. While Srede maintains a good relationship with the people who look after AMP’s physical security, he says that information security is run quite separately with little overlap between the two areas. The physical security of premises and equipment is also managed separately at telecommunications company PowerTel. However, according to PowerTel’s CIO, Geoff Lindner, one of the principal targets of thieves is IT assets because of their commercial value and usefulness. “We, like every organisation you care to name, have laptops stolen and we have quite extensive rules about how people who have laptops are required to maintain them,” Lindner says. “They’re not allowed to be left on desks or in desk side draws because they’re not secure. Rather, there’s a special cabinet for storing your laptop, but every now and then we still lose [the odd one].”
In PowerTel’s case, IT security is the part-time responsibility of one of Lindner’s staff. This principally entails maintaining network security, or “the moat between PowerTel and the outside world”, as Lindner puts it. He also says there is a constant influx of recommended security patches from vendors and much time is spent applying those. “Information that ultimately resides in our core systems is made available on the Internet either to business partners or customers through a portal. So clearly we have to have bulletproof security that ensures those core systems can’t be compromised from the outside. That’s a key focus,” Lindner says. However, security is not an issue Lindner and PowerTel worry about every single day. While there are constant attacks on its external facilities, they appear to be mainly automated and blind, rather than targeted, he says. “Certainly to our knowledge, we’ve never suffered a material loss. “Looking at the Australian Standard 4444, though, you see just how incredibly broad the overall security problem is. Obviously, internal threats are a major risk, especially in larger organisations, and loss of company information is important, so we have policies around the retention of data in IT systems,” he says. “The auditors have in fact audited our security policy and provided extensive feedback. Our tactical mistake there was in saying that we’re looking to build our own security policy around AS 4444. That of course then opened up the auditors’ minds to all the things in the standard that we don’t do,” Lindner admits in good-humoured fashion. In addition, on an annual basis, or thereabouts, Lindner calls in external security experts to inspect PowerTel’s systems and report on vulnerabilities they find. Their recommendations are subsequently implemented in an exercise that Lindner concedes is expensive but worth the benefits. According to Lindner, security measures to date have generally been accepted throughout the business. The only issue over which any friction has arisen, he says, is that some users would like to dial into PowerTel from outside using their own PC (see “Home Is Where the Exposure Is”, page 123). However, the company does not currently provide for this as the risk of introducing viruses is considered too great. And while Lindner will personally set security policy, he says he’ll always look to PowerTel’s executive committee to endorse it, given its importance.
While AMP and PowerTel effectively separate IT security from their organisations’ physical and overall security strategy and management, KPMG Australia’s 2001 Security Strategies report states that the security function should strategically oversee security risk management across the entire organisation. To be effective, the report says, the security group requires a strong presence and visibility and a strong authority mandate to take action. To ensure this, it must sit no lower than two levels below the chief executive, although corporate governance should place ultimate responsibility for security with the board. According to the KPMG report, the concept of a “security council” comprising key members of business, security and IT is also becoming popular. The council serves as a forum to raise and agree security initiatives and strategies and can enable active business participation in the security process, it says. To some degree, this is the way Corporate Express Australia operates. CIO Garry Whatley says he is ultimately responsibility for IT security, although a technical architect/security officer, who reports to Whatley, handles day-to-day security matters along with other duties. “We’re going through the TruSecure accreditation process and he [the security officer] is a highly technical person with the detailed skills to make sure all the proper security procedures are in place,” Whatley says. Corporate Express Australia also has a security committee, headed up by Whatley and comprising senior executives such as the financial controller, risk manager and company secretary. For while security has gained a higher profile in some circles in the past year, according to Whatley, it has always been ongoing for Corporate Express. In particular, as one of Australia’s largest single source suppliers of office goods and services, the company has been conducting business on the Internet for a relatively long period and derives a significant proportion of its revenue through online sales. “That has raised [the issue of] security pretty high because we speak to people like the Department of Defence, for whom security is paramount. So we need to prove internally that we have all the right processes in place,” Whatley says.
The Security Executive’s To-Do List
1. Merge physical and IT security organisations. 2. Have asset owners identify critical assets, determine their value and participate in risk assessments. 3. Audit security early and often. 4. Demand background checks and psychological profiling for sensitive staff. 5. Evaluate business partners’ security. Source: Forrester Research
Missions and Minefields
Chief security officers face many problems today, but they can be effective by delivering on six key areas of their work, according to analysts Key issues facing CSOs: - Ongoing friction between the CIO, whose mission is to make the network hum while running large departments, and the CSO, who is seen as a business inhibitor and has only a handful of direct reports - Lack of empowerment to get things done - Flat budgets and increased security threats - New demand to prove the effectiveness of security programs - Mergers and acquisitions - Increased physical security concerns as a result of the Sept. 11 terrorist attacks, which affect CSOs who have oversight for physical security as well as other CSOs who implement the technological solutions to mitigate such risks What CSOs need to do to be effective: - Form relationships and strategic alliances with corporate influencers in business units and in the auditing, IT and legal departments. - Become business enablers by using security technologies that reduce overhead, provide better service and otherwise support business processes with better, faster and cheaper ways of getting things done. - Take advantage of new assessment and benchmarking tools to help report the company’s overall security posture, risk modelling and program effectiveness. - Take accounting and business courses and get the Certification for Information System Security Professionals. - Keep abreast of regulatory issues and government acts - Be impeccable in appearance, articulation, writing and other forms of presentation. Sources: Tracy Lenzner, founder of executive security recruitment firm Lenzner Group (www.lenznergroup. com); John Pescatore, an analyst at Gartner (www. gartner.com); Mike Hager, vice president of network security and disaster recovery at OppenheimerFunds Distributor Incorporated in New York; and the research report “How Corporate Security Is Reshaping the Post-9/11 CEO Agenda”, by Booz Allen & Hamilton
Inside or Out
Where should responsibility for security reside? In its 2002 Information Security Survey, KPMG found that in 53 per cent of organisations responsibility for information security still resides with the IT department. However, Egidio Zarrella, national partner-in-charge, information risk management, KPMG Australia, says he is now seeing more “C” class executives or chief security officers (CSOs) in charge of security, particularly in the US and Europe and particularly in financial institutions. “If you just think security is IT and having a password, you’re already behind the ball game because you’re not taking a holistic view of it,” Zarrella says. As CSO for Oracle Corporation, Mary Ann Davidson has global responsibility for the software giant’s product security, corporate infrastructure security and security policies, security evaluations, assessments and incident handling; in other words, the organisation’s own IT security in addition to building and delivering security across the software it sells. Davidson has held the position since it was created late last year but thinks her situation is unusual in that she comes from — and continues to sit — in product development and reports up to an executive vice-president responsible for server technologies. However, this makes perfect sense for Oracle, she claims, given that its corporate culture is driven from development, the company runs its business on its own software, and consequently its internal IT department cannot secure what Oracle does not build into its products in the first place. In fact, it was Davidson who lobbied Oracle’s senior management to create the CSO position. “They agreed it was a great idea, and although I didn’t dream they would consider me for the position, they offered me the job and even gave me the chance to write the position description,” she says. “Management believed that I would stand up and scream loudly if things were not right and viewed that as an important attribute. I’ve also been a military officer, so I believe I understand something about leadership and motivation, and I have a magic authority whereby if there are issues with someone regarding security that I can’t resolve at my level, I get to go right to [Oracle chairman and chief executive] Larry Ellison. Not surprisingly, Davidson has a lot of interaction with Oracle’s internal IT department. Oracle also has a security steering committee, comprising a number of constituents including finance, legal and human resources. As Davidson points out, so much of security goes hand-in-hand with privacy, which affects large parts of the company. There are, for example, European privacy directives that impact not only how Oracle builds its products, but also how it stores information about its customers and employees. Davidson believes the CSO role is now very common in large companies, particularly major IT vendors. However, at rival ERP firm PeopleSoft, product security is the responsibility of the chief technology officer, while senior vice-president and (global) CIO David Thompson looks after the internal security of the company’s network, telecommunications and applications, as well as setting policy. Of the 380 people who work internally in IT at PeopleSoft, the security division within that comprises 27 staff and Thompson says security now accounts for 10-15 per cent of his time. Given that PeopleSoft is an IT company where staff tend to have the necessary skills, Thompson is not worried about external threats as much as internal attacks and mistakes and has been focusing on educating employees in this area. In addition, although he does not handle physical security himself, he says he is working to leverage technology to help protect the company’s assets and monitor sensitive areas. — K Power