Whether it is concern over physical access to sensitive
data, infiltration through software vulnerabilities or circumvention of
policies via social engineering, security is at the heart of the information
professionals’ daily activity. Combating the seemingly infinite variety of
security breaches now extends beyond mere information technology and has become
an integral part of the organization’s overall strategic plan.

The concept of integrating security into the strategic plan
is explored by authors Tom Patterson and Scott Gleeson Blue in their book, Mapping Security: The
Corporate Security Sourcebook for Today’s Global Economy. Chapter 3 of that
book, Establishing Your Coordinates,
is available for download from TechRepublic.

In the following interview, Tom Patterson discusses security
and how important security planning is to the overall health of any enterprise.

Interview

[TechRepublic] Security is arguably the most
prominent concern of information professionals in general and TechRepublic
members in particular. Dealing with security issues is an inherent aspect of
being interconnected via networking systems. Your book goes to great lengths to
explain that security extends well-beyond the mere technological equipment
deployed. What do you see as the most overlooked security vulnerability in the
business environment? How should that security problem be addressed?

[Tom Patterson] One of the themes of Mapping
Security is the unification of the security effort within an organization. To
this end, we explain security issues with stories in the language of business,
so that the rest of the people in an organization will be able to understand
their role in security and participate where needed. The book points out the
criticality of including business owners, financial teams, sales and marketing,
executives and even boards, in forming a security, privacy, or risk policy. By
taking the time to explain the security situation in terms that they will
understand, you gain the benefit of their perspectives, and their buy in to a
solution. This is a critical success factor in security around the world, and
it’s only now starting to be addressed. Corporate governance laws around the
world, like the Sarbanes-Oxley Act in the USA, are allowing organizations a
second chance to address their risks, and many are doing just that.

Title: Mapping
Security: The Corporate Security Sourcebook for Today’s Global Economy
Author: Tom Patterson with Scott
Gleeson Blue
ISBN: 0-321-30452-7
Chapter 3: Establishing Your Coordinates
Publisher: Addison-Wesley
Professional
Web site

[TechRepublic] In your book, you suggest that many
organizations make contingency plans based on the discovery of a security
problem or breach—a reactionary strategy. You suggest that security planning
should be an integral part of the overall strategic plan, taking into account
traditional aspects like markets and culture. Won’t such a shift in thinking
require cultural change at the organizational level? Isn’t entrenched
bureaucracy a major hurdle to overcome when thinking of security as a strategic
aspect of the overall plan?

[Tom Patterson] The days of the security silos are
behind us. The threats are more demonstrable now than they used to be, governance
laws that make executives and officers sign off on their corporate risk every
90 days, have changed corporate attitudes, and now is the time to change the
culture. In the book there are many examples that are working around the world,
like ways to get business owner buy in, increased budgets, or positive
executive attention. All of these areas are critical to changing the security
culture, but it’s being done around the world today.

[TechRepublic] In the aftermath of corporate
accounting scandals like Enron
and Worldcom, legislation and regulations have been enacted that hold
enterprises accountable and liable for accuracy, security, and privacy. What
steps should organizations have already taken to meet these compliance
requirements? Do you believe that many organizations have yet to grasp the
significance of non-compliance? What consequences are they facing?

[Tom Patterson] In the book, we demonstrate how
organizations have tended to ignore regulations without ‘teeth.” But
nothing bites an executive more than seeing a peer in prison stripes. Beyond
the fines (which can be substantial) and sanctions (like having a Government
watchdog on your site for 20 years) and share price vulnerability, company
executives are really taking note of the criminal enforcement these days. Sarbanes-Oxley
Section 404 outlines a series of risk-centric compliance issues that every
public company is taking seriously. The biggest change has been in the area of
internal audits, which can be a great help in carrying out good security
throughout an organization. Every security leader should be working hand in
hand with the internal auditors, as they have the power to get things done.

[TechRepublic] Many recent security breaches
involving technology have stemmed from the growing problem of stealing personal
customer or client data that can later be used in assorted identity-theft
crimes. Rather than random attacks of opportunity, these attacks are
well-planned and targeted, specifically designed to circumvent in-place
security systems. Do you believe organizations as yet untouched by these events
understand the sophistication of these attacks or the determination with which
they are carried out?

[Tom Patterson] While phishing for grandma’s eBay password tends to get a lot
of media attention, these one-off frauds are not the biggest problem in
identity theft today. Grabbing mail out of a mail box or trash can is still the
number one way identities are stolen, but the electronic world is catching up. The
focus needs to be on two areas—those who aggregate large amounts of personal
data, and places that sell it.

For
company’s that collect personal data, there are laws on the books in several
states (like California) that direct how to secure it, and a national law in
the works for later this year. Social engineering, or tricking a company or
employee into giving you the data, still accounts for more identity theft than
electronic hackers, but in all cases the attacks are becoming more targeted,
more sophisticated, and more successful. Company’s need to
look at whether they really need to keep this data at all, and if so, they need
to beef up its protection.

The reason
this is such a threat these days, is that it is profitable. When your credit
card number is stolen, in most cases the thief doesn’t use it, he sells it. There
are whole markets online for the sale of credit card and other personal
information. We, as a global society, need to take the gloves off when dealing
with them. We had a good start by shutting down the ShadowCrew site, but much more proactive actions are
required on a global scale. The US Congress has not yet signed the European
Convention on Cyber-Crime, but that would help show the rest of the world
that we need to be united in our fight against identity theft.