Whether it is concern over physical access to sensitive data, infiltration through software vulnerabilities or circumvention of policies via social engineering, security is at the heart of the information professionals' daily activity. Combating the seemingly infinite variety of security breaches now extends beyond mere information technology and has become an integral part of the organization's overall strategic plan.
The concept of integrating security into the strategic plan is explored by authors Tom Patterson and Scott Gleeson Blue in their book, Mapping Security: The Corporate Security Sourcebook for Today's Global Economy. Chapter 3 of that book, Establishing Your Coordinates, is available for download from TechRepublic.
In the following interview, Tom Patterson discusses security and how important security planning is to the overall health of any enterprise.
[TechRepublic] Security is arguably the most prominent concern of information professionals in general and TechRepublic members in particular. Dealing with security issues is an inherent aspect of being interconnected via networking systems. Your book goes to great lengths to explain that security extends well-beyond the mere technological equipment deployed. What do you see as the most overlooked security vulnerability in the business environment? How should that security problem be addressed?
[Tom Patterson] One of the themes of Mapping Security is the unification of the security effort within an organization. To this end, we explain security issues with stories in the language of business, so that the rest of the people in an organization will be able to understand their role in security and participate where needed. The book points out the criticality of including business owners, financial teams, sales and marketing, executives and even boards, in forming a security, privacy, or risk policy. By taking the time to explain the security situation in terms that they will understand, you gain the benefit of their perspectives, and their buy in to a solution. This is a critical success factor in security around the world, and it's only now starting to be addressed. Corporate governance laws around the world, like the Sarbanes-Oxley Act in the USA, are allowing organizations a second chance to address their risks, and many are doing just that.
Security: The Corporate Security Sourcebook for Today's Global Economy
Author: Tom Patterson with Scott Gleeson Blue
Chapter 3: Establishing Your Coordinates
Publisher: Addison-Wesley Professional
[TechRepublic] In your book, you suggest that many organizations make contingency plans based on the discovery of a security problem or breach—a reactionary strategy. You suggest that security planning should be an integral part of the overall strategic plan, taking into account traditional aspects like markets and culture. Won't such a shift in thinking require cultural change at the organizational level? Isn't entrenched bureaucracy a major hurdle to overcome when thinking of security as a strategic aspect of the overall plan?
[Tom Patterson] The days of the security silos are behind us. The threats are more demonstrable now than they used to be, governance laws that make executives and officers sign off on their corporate risk every 90 days, have changed corporate attitudes, and now is the time to change the culture. In the book there are many examples that are working around the world, like ways to get business owner buy in, increased budgets, or positive executive attention. All of these areas are critical to changing the security culture, but it's being done around the world today.
[TechRepublic] In the aftermath of corporate accounting scandals like Enron and Worldcom, legislation and regulations have been enacted that hold enterprises accountable and liable for accuracy, security, and privacy. What steps should organizations have already taken to meet these compliance requirements? Do you believe that many organizations have yet to grasp the significance of non-compliance? What consequences are they facing?
[Tom Patterson] In the book, we demonstrate how organizations have tended to ignore regulations without 'teeth." But nothing bites an executive more than seeing a peer in prison stripes. Beyond the fines (which can be substantial) and sanctions (like having a Government watchdog on your site for 20 years) and share price vulnerability, company executives are really taking note of the criminal enforcement these days. Sarbanes-Oxley Section 404 outlines a series of risk-centric compliance issues that every public company is taking seriously. The biggest change has been in the area of internal audits, which can be a great help in carrying out good security throughout an organization. Every security leader should be working hand in hand with the internal auditors, as they have the power to get things done.
[TechRepublic] Many recent security breaches involving technology have stemmed from the growing problem of stealing personal customer or client data that can later be used in assorted identity-theft crimes. Rather than random attacks of opportunity, these attacks are well-planned and targeted, specifically designed to circumvent in-place security systems. Do you believe organizations as yet untouched by these events understand the sophistication of these attacks or the determination with which they are carried out?
[Tom Patterson] While phishing for grandma's eBay password tends to get a lot of media attention, these one-off frauds are not the biggest problem in identity theft today. Grabbing mail out of a mail box or trash can is still the number one way identities are stolen, but the electronic world is catching up. The focus needs to be on two areas—those who aggregate large amounts of personal data, and places that sell it.
For company's that collect personal data, there are laws on the books in several states (like California) that direct how to secure it, and a national law in the works for later this year. Social engineering, or tricking a company or employee into giving you the data, still accounts for more identity theft than electronic hackers, but in all cases the attacks are becoming more targeted, more sophisticated, and more successful. Company's need to look at whether they really need to keep this data at all, and if so, they need to beef up its protection.
The reason this is such a threat these days, is that it is profitable. When your credit card number is stolen, in most cases the thief doesn't use it, he sells it. There are whole markets online for the sale of credit card and other personal information. We, as a global society, need to take the gloves off when dealing with them. We had a good start by shutting down the ShadowCrew site, but much more proactive actions are required on a global scale. The US Congress has not yet signed the European Convention on Cyber-Crime, but that would help show the rest of the world that we need to be united in our fight against identity theft.
Mark W. Kaelin has been writing and editing stories about the IT industry, gadgets, finance, accounting, and tech-life for more than 25 years. Most recently, he has been a regular contributor to BreakingModern.com, aNewDomain.net, and TechRepublic.