Strengthened resolve
While security coordination is a muddy issue, one thing is clear: There is a new resolve in corporate hierarchies to make security a priority--a resolve that corporate security experts say did not exist just six weeks ago.
In dozens of interviews conducted by Interactive Week, I-managers, information security experts, security consultants and corporate executives echoed a recurrent theme as companies scrambled to cope with the idea that the nation is at war with an enemy that is often invisible--and with the fact that they could become targets.
Corporate officials said they are re-evaluating and reassessing all levels of security. Oft-mentioned issues included Internet vulnerabilities to worms and viruses; ways to bypass secure entrances; and learning more about the habits of employees.
Bob Forbes, executive vice president and founder of Authentor Systems, said he foresees new security systems that will not only watch the front and back doors, but track employees' personal habits--from the time they clock in, to the time they log on--and notice when norms are not followed.
"Hard outer shells are suddenly getting a lot of attention, just as the demand for access is increasing," he said. "You typically can't increase access and security simultaneously. So you turn to behaviour-based models as opposed to, say, firewalls that have static rules, that don't look at the type of information a user is requesting."
The economic reality of increasing security is finding expression in prioritisation--and in the recognition that more sophisticated technology is not the only answer. Confirming that security policies are in place and are adhered to and planning reactions to worst-case scenarios are becoming part of a new corporate mindset, insiders said.
In many cases, corporations are scrambling to find funds in an almost stagnant economy to pay for technological tripwires, more security personnel and higher walls around information systems.
"The tragic events of Sept. 11 have been a cold, hard slap in the face to senior corporate managers who once paid lip service to security, but failed to allow long-term or short-term budget planning," said Marquis Grove, a director of Information Systems Security.
Within many companies and among security advisers there is also movement toward integrating physical and information security systems, to present a "hardened target" to terrorists, criminals and even disgruntled employees who try to disrupt business.
"Information technologists and corporate security managers have long enjoyed a love-hate relationship," said Grove, who doubles as information security director for an international Fortune 50 company.
"Unfortunately, there has been a long history of self-interest and self-promotion between the two groups that left them usually opposing measures being put forward by the other group," he said. "This reflected the fortress mentality of the past, where managers were more interested in protecting the size and function of their department than in what was best for the company."
Now, however, threat and risk assessments are in high demand at corporations of all shapes and sizes, from giants like Boeing to small firms--for which the faulty security of networks they hire to deliver their services could mean financial ruin.
Agencies of the federal government are also turning to private security interests to run risk assessments on networks, Web sites and other points of access to confidential information that could be valuable to international enemies.
Some corporations, like the Kansas Yellow Freight national trucking company, said they have not made dramatic changes in security, but have thoroughly reviewed their procedures and sent blanket reminders to all employees to be alert for security breaches.
For others, it is clearly a brave new world of information and physical security, transformed in ways that were almost inconceivable before the terrorist events just six weeks ago.
Juliano said DoveBid has added redundancy to its operations to allow the company to run entirely from any of its three major US facilities. It's also started reviewing security systems on "a daily, rather than weekly, basis," and is even checking names of suspected terrorists released by the FBI against its employees and system users.
Information system security is indeed a management responsibility BUT it also a responsibility of the vendors of the associated hardware, software and network systems themselves. AND this area was totally missing from the ZDNET analysis. You buy a car - you expect it to follow the appropriate Australian standards for car safety and quality. The problem today is that commodity systems, e.g. Windows 2000 / XP which have not even achieved a lowest level of trust analysis ( i.e. the old "C2" level of evaluation) are being used in mission critical server/hosts/workstations. It is time the IT industry was held responsible itself - profesisonals need to work with trusted systems that have been assessed according to security standards - and we have one - an international one - ISO 15408 - for system trust. None of this gets any mention in your analysis. Strange ! After all - there is no point blaming a driver for not stopping the car if it has no brakes ! By today, for example, mandatory / role based access control, segmented memory protection and the like should have been standard - they are not. There is the problem. Untrusted, commodity, consumer systems being used in government, business systems and networks for which they are ill suited. Even Steve Balmer of Microsoft was reported in June in the UK as commenting that his company could have done a better job in the security area ! Multiply that by a nation - and we have the potential for cyber disaster.
Bill Caelli
Information Security Research Centre
Queensland University of Technology