COMMENTARY--Too often, security has been an uncoordinated process of throwing money at security holes as they appear, and bandaging over problems after they occur.
The need for a unified approach to security at the enterprise level has been made crystal clear by recent local events, escalating the need for a managed approach to business continuity well beyond just virus control.
While the Blaster and SoBig virus plague brought some harsh lessons, with the severity of their attack surpassed only by their speed, many organisations were prepared for the onslaught and had defensive patches in place.
Others were not and business process fell to its knees under the bombardment. The debris had hardly been cleared away and systems restored when intruders posing as technicians spent a couple of hours inside the Australian Customs facility near Sydney Airport and walked out with two file servers. Unchallenged, they simply carted off data of, so far, undeclared sensitivity presumably for nefarious purposes as the hardware could hardly have been worth the risk.
The flood of Internet-distributed bugs was bad enough, but this data heist sharply focuses the pressure on management to take a proactive stance on physical security, unauthorised intrusion, and recovery from such events.
It can no longer be left to an ICT department to shoulder the protection load alone; executive management has to let go of dangerous notions of security as a non-revenue function at best tolerated, but more often perceived as some arcane activity best left at the margin while more pressing matters like investor return get total attention.
Security management systems from vendors like IBM's Tivoli, e-Security, and Computer Associates offer centralised reporting and monitoring and are evolving towards more comprehensive management functionality, spurred not only by the proliferation of threats, but by pressure on ICT professionals to accommodate security within an ever-widening general task base.
On the other hand, the development of enterprise-wide policies and structures to establish a strategic approach to whole-of-business security lags behind. Few fully appreciate that security is a business enabler, and yes, its cost can be highâ€"particularly if it's deployed reactively.
Digital surveillance may be an ICT responsibility in its installation and maintenance, but it is senior management that must be properly prepared for the social issues that surveillance brings, coordinating legal, audit, and HR contributions to the privacy concerns that accompany it.
It means realigning departmental thinking to create a holistic approach to security; digitally captured vision of a couple of blokes lugging file servers towards the door is essentially just another in a range of alerts, a fairly obvious one admittedly, with which business must contend.
Electronically detected intrusion by disaffected employees armed with a bunch of purloined passwords is another alert, some opportunist carrying off brand assets on some obscure Web site is another, and so it goes on. The task is to separate the signals from the hubbub of background noise and that means establishing cohesion across the enterprise.
Ernst & Young's recent global survey into information security showed that only half the 1400 organisations surveyed said IT security funding was aligned with business needs. Many executives focus on well-publicised security issues such as viruses and malicious hackers when they should be looking into less obvious threats, such as disgruntled employees, network links to partners with untrustworthy systems, hardware thefts, and insecure wireless access used by employees.
The bulk of security spending at most companies continues to be on technology products, with far less attention being paid to employee awareness and training issues, the survey showed. Only 29 percent of those surveyed listed employee awareness and training as a top area of IT security spending.
While information technology runs as a common thread through all this, it is management that allows an environment to develop where human shortfall can not only persist, but thrive.
Richard Hogg is National president of the Australian Computer Society (ACS). The ACS is the recognised association for Information Technology (IT) professionals, attracting a membership (over 16,000) from all levels of the IT industry and providing a wide range of services. A member of the Australian Council of Professions, the ACS is the guardian of professional ethics and standards in the IT industry, with a commitment to the wider community to ensure the beneficial use of IT.
Visit this page for other ACS articles published by ZDNet Australia.
Subscribe now to Australian Technology & Business magazine.
