Security Gets Top-Level Attention

[InfoSec News <isn () c4i org>]

http://www.banktech.com/story/BSTeNews/BNK20030916S0001

Tom Stein 
Sep 16, 2003 

Akhil Bhandari, VP of IT at CCL Industries Inc. in Toronto, has
noticed an interesting trend. Lately, members of the executive team
have been sending him E-mail about viruses, security breaches, and
acts of cyberterrorism they've read about in the news. These
executives-including the CFO, COO, and even the CEO-just want to make
sure the $1.2 billion contract manufacturer of popular consumer
products is adequately protected.

"Security is certainly more of a discussion point among executives
these days," Bhandari says. "More than ever, I have to keep our
executive team abreast of what's happening out there and what we need
to do about it."

Bhandari isn't alone. A recent survey of 815 business-technology and
security professionals, jointly conducted by Optimize and
InformationWeek, found that senior executives are taking a greater
interest in information-security issues and having a stronger say in
how security dollars are spent.

Some 46% of respondents said the CEO, president, or managing director
sets spending for information security. That's a lower percentage than
in previous years, which may be because many companies are setting up
committees to help direct security spending. A growing number are also
hiring chief security officers who manage the security budget. AOL
Time Warner Inc. and Sun Microsystems Inc. are among the high-profile
companies that have made chief security officer hires in the past
year. According to Meta Group, only about 30% of Fortune 1000
companies have a chief security officer or equivalent, but 95% say
they need to hire someone in that role.

High-level input

Not only high-profile news events are capturing executives' attention.  
The security spotlight is also on a slew of new federal and state
regulations-such as the Sarbanes-Oxley Act of 2002, California's
Security Breach Notice Law, and the Health Insurance Portability and
Accountability Act (HIPAA)-that are dramatically affecting the way
companies handle customer information. Executives are becoming more
proactive in making sure their companies comply. Moreover, the rise of
Web services and business collaboration has generated more vigorous
discussion about security and concern about critical data falling into
the wrong hands-or worse, being compromised by business partners.

Significantly, more than half of the survey respondents said
regulatory requirements are the primary drivers of new investments in
information-security products and services. Other reasons cited
include potential liability/exposure (70%), potential revenue impact
(41%), and partner/vendor requirements (24%).

Bert Reese, VP and CIO of Sentara Healthcare, which operates six
hospitals and offers health-care coverage to 300,000 members, says
until this year information-security issues failed to reach the
executive suite. Senior-level management never gave much thought to
issues such as intrusion detection and disaster recovery, he says;  
they simply entrusted him to take care of those things. But the new
HIPAA regulations and other compliance issues suddenly have the
corporate suites buzzing with interest.

Gene Fredriksen, VP of information security at financial-services firm
Raymond James Financial, believes some of his peers still need to do a
better job of marketing their security organizations. For example,
they could demonstrate how better security lets the company safely
open up some of its systems to customers and business partners over
the Internet at a fraction of the cost. In the past, whenever security
people needed more money, they would scare the CEO with a litany of
horror stories, Fredriksen says. But in lean economic times, that
approach won't work. To be successful, security officials must talk
the language of business.

"They must identify risk and also quantify the potential damage to the
business and propose a budget," he says. And they have to educate
senior executives about the latest happenings on the security front.

To that end, Fredriksen publishes a monthly newsletter for board
members and executive management. He uses graphics to underscore
high-, medium-, and low-level attacks identified by the firm's
intrusion-detection system. He also tracks firewall breaches and virus
infections. The newsletter contains brief articles on emerging
security trends and legislation to keep senior executives abreast of
the big stories even before they reach the major newspapers. By
keeping his senior executives educated-and hitting them with the right
message at the right time-Fredriksen has managed to incrementally
raise the security budget in relation to the overall IT budget. This
year, the company will spend more than $1 million-almost 5% of the
overall IT budget-on security initiatives, putting the company in the
top 15% of respondents.

Some companies pay a high price for not adequately investing in
security. Survey participants reported that breaches result in
compromised information confidentiality (13%), loss or damage to
internal records (7%), lost access to customer records (7%), and
compromised customer records (5%). However, these are minor when
compared with the loss of business applications (49%) and network
unavailability (45%). Only a handful of companies admitted to being
hard-hit financially by information breaches or espionage. Half of the
sites surveyed reported losses less than $100,000. Nearly a third
reported no dollar losses attributed to security attacks.

ECMD Inc., a $100 million manufacturer of building components for the
housing industry, needs to guard against industrial espionage and
protect its systems from potentially malicious or nosy employees. To
date, the company hasn't come under serious attack, but hackers have
broken into its Web sites and engaged in general vandalism. "We don't
keep any sensitive data on our Web sites, so the loss wasn't
significant," says VP of IT Steve Brown.

CCL Industries has also come under hacker threats. The company engages
in online commerce with business partners and suppliers. To ensure the
integrity and security of its mission-critical data, CCL has
established a stand-alone collaborative commerce platform that's fed
information from CCL's internal ERP and E-commerce systems. As a
result, suppliers can log on to the platform, but can't update any
records or see anything that CCL doesn't want them to.

Network firewalls and virus-detection software are the tools primarily
used to keep systems free of security breaches. Virtual private
networks continue to grow in popularity: Fully 71% of sites report
using VPNs to protect operations in 2003, compared with 58% in 2002.  
Private encryption is also gaining.

One big challenge is striking the appropriate balance between the need
for security and its cost. Indeed, survey respondents reported that
capital expense was one of the most significant barriers to effective
security in their companies (44%). Other obstacles include the
increasing sophistication of threats (49%), lack of time (37%), lack
of qualified staff (31%), and complexity of the technology (24%).  
Another 24% cited lack of management support, which means that while
security is gaining stature in some organizations, it's still an
afterthought for many.

Victor Wheatman, managing VP of research firm Gartner Inc., says most
companies still don't think about the cost of security before they
build or implement new systems. He estimates that adding proper
security raises the cost of application development by 30%. "Too many
companies rush ahead and forget about security," he says. "And then
they get a big surprise after the system is up and running, and they
realize they now have to factor in security."

In one case, ECMD's Brown, along with his senior executives, decided
to abandon an online initiative with a particular partner because,
among other issues, security costs were too high and simply outweighed
any potential benefit. "Security absolutely plays a role in
determining whether we partner with a certain vendor and whether it's
worth the extra cost," he says.

One solution is to outsource information-security services to a third
party, much as companies do security guards. But the trend is still in
its infancy. Only 17% use outside firms to host security systems. Most
want to outsource systems implementation, strategic consulting,
integration, and technology transformation.

The onus remains on IT and security professionals to educate upper
management and encourage participation in security planning. "If there
is no awareness of risk at the executive level," Fredriksen says,
"security will not receive the level of funding it deserves."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.