“Because we’re public sector, we have people working inside our network that other people are trying to block,” said Brad Biehn, director of information systems with Louis Riel School Division, at an IT security roundtable hosted by Microsoft in June.

The school division had to deal with the usual gamut of security concerns, such as viruses, but also with social engineering attacks aimed at young, naïve children, as well as online predators and even cyber bullying.

“That’s the new issue in the playground,” he said. There’s also education that needs to be done with students on issues like plagiarism and hacking into other people’s information. “We’re doing a lot to educate our students, but you have to have some controls,” he said.

Prior to amalgamating the school division and rolling out new technology, Biehn had a virus template letter he sent out two or three times a month, and his job consisted of quarantining and cleaning up after viruses. With PCs in 40 different buildings across the school district, it used to take three months to apply a patch.

“You can’t run a business like that,” he said, adding that it’s important not to lose sight of the end-user either. “You can tighten a network so it’s unusable, you can lock down a PC so it’s frustrating to use,” he said. “What’s good for users makes the IT department spin into the ceiling.”

The school division is now a Microsoft shop, and while it still gets hit with viruses, everything is patched in a timely manner, he said.

For Indigo Books & Music, security is also a top concern, but for different reasons. With millions of dollars of transactions on credit cards going over the Internet, the company is a target for hackers. “It’s a risk we mitigate,” said Ricky Mehra, director of IT security and internal controls with Indigo Books & Music. “It’s a huge threat for us.”

It’s critical the company retains customer trust, he said, and this involves building better practices internally.

Bill 198 in Canada and Sarbanes-Oxley in the U.S. are forcing companies to comply with security regulations, and a lot of companies that use third parties are asking those parties for audit reports. Still, it’s important not to evangelise security as insurance, he said, because that treats it as a threat ”“ it’s better to show C-level executives how security can be a business enabler.

ROI is difficult to prove, he said, since security risks are qualitative rather than quantitative, but you can break it down into solutions that have measurable metrics, such as single sign-on for users versus labour costs at the help desk — and that can help you get executive buy-in.

He’d like to see better integration, interoperability and manageability between vendor products, and believes PIPEDA — Canada’s privacy legislation ”“ needs more teeth.

Point products from different vendors have become costly to acquire and difficult to manage, and we need to get to a point where there’s a single security management console, said Pat Kewin, director of Trend Micro Canada. “We need to be able to fit into other managers’ managers.” But it’s a marathon, not a sprint, he added, and security is a constant cycle without a start or finish.

One of the biggest challenges is dealing with complexity and the unknown nature of threats, and network availability, intellectual property and sensitive financial information can all be held hostage to denial of service attacks. “The stakes have gone up so dramatically because of the financial rewards,” he said.

But the industry is also seeing more aggressive disclosure requirements, such as in California, where the law requires businesses to notify customers within 48 hours of a data breach.

A standards body called OASIS (Organization for the Advancement of Structured Information Standards) is making it possible for vendors to collaborate across product lines. And WS-Star is an initiative being driven by Microsoft and IBM to define specifications for Web services security, reliable messaging and transactions; WS specifications are also designed to interoperate with existing security models such as passwords, Kerberos and PKI.

“Some people would say technology is only 20 per cent of the problem, the rest is policies and procedures,” said Steven Lloyd, chief security advisor with Microsoft Canada Co.

Regardless, he said security should be viewed as an integral part of the business. “Stop looking for ROI,” he said. “Security should be part of your business plan. It’s not an add-on. It’s not an afterthought.”