Not all data in your organization is the same and therefore you must treat it with different levels of security. Similarly, different people in your organization and among your business partners must be treated with varying levels of trust and security that match their roles. And hashing through all of this will require working closely with senior management, so you have to foster a comfortable working relationship with your executive team.
Those were some of the lessons culled from keynote speakers at the recent E-Security Conference and Expo in Boston. The speakers were: Christian Byrnes, vice president and director of the global security practice at the META Group, a consultancy based in Stamford, Conn; Clint Kreitner, CEO of the Center for Internet Security, Bethesda, Md; and Paul Raines, Head of Global Security Risk Management, Barclays Capital, an investment bank in New York.
Byrnes' message was that organizations have to assign different levels of trust requirements to all of their resources and ensure that each is protected accordingly. Trust levels may range from 0, meaning the trust level is not acceptable for any business use, to 4, which corresponds to a high value, business-critical trust level.
Deciding what trust level should be assigned to each resource is a matter of policy that has to be negotiated with business leaders, he said, not dictated by the security team.
That was a theme that Raines also picked up on. Number one on his list of the top 10 security vulnerabilities was a lack of well-defined policies and procedures.
Raines knows of what he speaks. Barclays Capital has operations in 66 countries and Raines is responsible for information risk management in all of them. Before taking on his current position in January, he was vice president of electronic security for the Federal Reserve Bank of New York, supervising its computer and network security systems.
From his experience, it is crucial for security managers to meet on a regular, informal basis with senior managers to foster an open relationship. The idea is for each side to feel comfortable with the other and to tell the truth about security risks, so that should a problem crop up, it's not coming out of the blue.
Such a relationship is also key to getting management support for security initiatives that are not always popular with employees, such as rules about how often passwords must be changed. When looking to garner such support, Raines said it's key to always emphasize the value-add to the organization. That means spelling out in simple terms why the security measures you seek are important to the company.
Kreitner echoed the same theme. Before taking on his current position, he held various CEO positions in health care as well as with IT vendor companies. His advice was to be calm, collected and rational when talking to senior managers about the security risks your organization faces.
"Executives understand risk," he said, noting that a core function for any executive is to evaluate market risks of varying types. They also understand that there are risks associated with IS and that there is no quick fix to any given problem. "It's about managing risk down to a prudent level."
For the IT or security manager, the key is to define the risks in business terms, such as potential damage to the company's reputation if a security breach becomes publicized or the effect of a critical system such as payroll being compromised.
A key question to be addressed in the security equation is whether you are doing at least what the competition is doing in terms of security, Kreitner said.
"There is a major lawsuit just waiting to happen," he said. He expects eventually a company will get sued for not providing adequate security protection for, say, a credit card database. In legal terms, the key is whether your company is meeting the prevailing standard in terms of security, whatever that standard may be.
That's a tricky subject because there is no definitive measure of what constitutes a prevailing standard for security in a given vertical industry. The Center for Internet Security, however, is working to come up with benchmarks that will help in that effort. (See www.cisecurity.org for more details.)
In the mean time, Kreitner left the audience with three action items to address back at the office:
- Set a new policy that no new system will be connected without passing a test of minimum security.
- Rate all your machines for security and report to top management; repeat monthly to show progress.
- Require your business partners to meet a minimum security standard. The reason? "When you hook your systems to somebody else's, guess what - you just bought all of their vulnerabilities," Kreitner said.