Security rollout needs a blueprint
Organizations are often too busy looking at the details of a security rollout to consider the big picture, according to a panel of experts that convened in Toronto last month.
The panel, which was conducted in front of an audience of security and IT professionals, agreed what could help bring that picture into sharper focus is accountability.
“I’ve seen too many organizations doing (security) on a piecemeal basis
and there is no co-ordinated leadership,” says Roy Ng, an assistant
professor at the Ted Rogers School of IT Management at Ryerson
University, the organization that hosted the panel. “Security has to
come from the top, but there has to be a perspective about what
security is all about.”
Sharon Hagi, a senior architect at IBM Canada, agreed. “Once
you’ve identified the risk and classified the assets (to be protected),
there has to be a blueprint.”
The problem for many senior executives is they can’t grasp the return
on investment from a security investment, says Hagi, since security is
designed for prevention rather than production. They know they need it,
but they don’t know why.
He said a metaphor that might help is the car: a security perimeter is
like the brakes on a car. What allows you to accelerate a car is the
ability to slow it down or stop it by pressing a pedal.
Similarly, security gives a company the freedom to speed up and move forward.
Dave Wallace, the CIO for the City of Toronto, says he’s seen this
problem in the public sector. The only way is to make sure that
senior-level managers not only understand the implications of security
but also what might happen to an organization if it’s not implemented
“I think we need to start folding in the word ”˜accountability.’ Yes,
there are costs to manage, but the bottom line is (managers) are
accountable. As long as IT is doing it (by themselves), it’s not going
to work,” says Wallace.
The rise of accounting and privacy legislation has put accountability
back into the minds of executives, says Hagi. They take Sarbanes-Oxley
seriously because there are penalties if they don’t.
“There’s nothing like the risk of jail time to get executives
involved,” he says, adding that we need more legislation “with teeth”
in order to make security a priority across an entire organization, not
just as the IT department level.
Part of the problem is a disconnect between senior executives and IT
departments, according to the panel. And it may be up to the IT
managers to explain requirements in a language that the top levels of
an organization can understand.
Telling an exec that temporarily losing a website to a firewall issue
will cost the company 50 customers may be more effective than just
reporting the number of hours it went down, says Ng.
Enterprises are reaching a fork in the road in terms of security and
accountability, but many small and medium-sized businesses are just
getting started, says Wallace.
A lot of SMBs believe they are building unique security platforms, he
says, but often they are just replicating set-ups that have been used
in other organizations. In order to security solutions to be affordable
and practical for all sizes of business, there needs to be a more