|
Anil Chopra
Monday, January 01, 2007
More than half of the CIOs we spoke to had a Compliance policy in place. And half of them spent most of their time ensuring Compliance. Only 10 per cent had fully outsourced their security management. More than half admitted to a "little difficulty" in convincing top management to invest in security solutions. About half had low satisfaction levels with security vendors.
Security is a key area of concern for just about everyone nowadays, because it's not just about combating viruses and worms anymore. It's also about establishing and enforcing a set of policies in the organization on how and what can the employees access. It's also about ensuring that all critical company data is safe from prying eyes. A good security setup will always ensure that it's based on the right set of technologies backed by strong policies. There has to be a proper balance between technologies and security policies. Even if you use the latest security technologies, but don't have strong policies to control its usage, your setup will suffer. Likewise, you may have strong policies, but unless there are technologies that will help you enforce them, all effort goes to waste.
The importance of security
By and large, security was the most important concern for slightly more than 50 per cent of the CIOs we surveyed. While that may sound reassuring, the interesting point to note is that there are still areas that are more significant than security. One of course is the organization's core business and the systems that support it. Business supporting systems, ERP, legal requirements, business continuity are all areas that get higher priority over security. Add to that system uptime, maintaining low cost for data transfers and connectivity as a few others you may want to place at a higher peg than security. These last two are also linked to the previous ones, because what good is security if the systems themselves are not up? We've had discussions with many CIOs in the past, where the most important concern had been ensuring that all the systems were up. In fact, this was one of the areas that gave most of them nightmares.
| How important a concern is security in your organization, vis-à-vis other areas of IT? |
 |
What if they were sleeping and in the middle of the night, a critical server or storage device went down? What if they were travelling on an important trip or were out of office and received an urgent call from office to return immediately because the ERP server had gone down? Speaking of nightmares, there are quite a few that security can also give to an IT manager or CIO, and God forbid if any of these outages are caused due to a security breach. Malicious software and viruses aside, what about threats from within like illegal access and system abuse? Or how about employees turning hostile and passing strategic business information to competition? These are all spine chilling thoughts. Many of our respondents put these possibilities and more before us on threats from within.
| Which security issues are CIOs spending most of their time on? |
 |
While the Internet has been a boon for everyone, it's also brought in lots of concerns. Hacks during data transfer, or bank account kidnapping through phishing are nothing new. They have been happening and will continue to happen. Most organizations just wish that it doesn't happen to them. That's enough material to keep everyone on their toes. The first point to consider while framing a security strategy is to analyze its relevance with respect to other areas. One way is to do a direct correlation between various areas and the resulting financial and productivity losses if they were to go down.
Prioritize areas that need attention
So what is it that keeps CIOs and security specialists on their toes? Where do they spend most of their time? All the 'nightmares' we just highlighted won't go away through technology alone. Nor would they go away by merely establishing a set of policies. They'll at best be minimized only if policies are enforced and complied with. So ensuring compliance and adherence to security policies was what kept a majority of our respondents the busiest. The next task that kept them very busy was combating external threats, followed by enforcing measures to prevent data theft and training employees on security. Surprisingly, combating phishing, spam, and zero day attacks were not priority for the respondents. Possibly, the first two would automatically be minimized through proper training.
A set of rules that can help employees identify spam or phishing mail from a genuine mail is not very difficult to create. If a mail asks you to provide any personal information such as your bank account's user id or password, should obviously be ignored. Likewise, instead of trying to unsubscribe to spam mail, if a user just deletes it and informs the IT department, it's good enough. Responding to a spam mail only confirms to the spammer that your email id is valid, which opens the gates for more spam to come in. Incidentally, social engineering attacks, for all their hype didn't seem to worry our respondents much. Guess that's also taken care of through proper training. Once you've identified the areas that are important to your business, you need to identify the key things that need to be done in them. In security for instance, identify the area that needs the maximum attention and similarly work out your priorities for the remaining tasks. Is combating virus and worm attacks a priority area?
Most anti-virus software are able to handle it, and your own IT staff would be adept at handling it. But ensuring that all anti-virus packages are up to date with the latest definitions would be something you have to ensure. Likewise, you need to create a priority list of all tasks.
| Has your organization ever suffered financial losses due to a security attack? |
 |
Learning from downtime
Security was taken pretty seriously by our respondents, because there was hardly anybody whose organization had suffered any financial losses due to a security breach. However, we did get a few reports of productivity losses due to security threats. Most of these had to do with downtime, which went from a few hours to a few hundred hours. What's important to note is not how much downtime occurred, but what should you do about it so that it doesn't happen again? One is to keep the production network isolated from the Internet. As most security threats enter via the Internet, this can actually work. But then if your organization relies on the Internet heavily, then you have to look at other measures. Another learning that emerged was that internal security threats can sometimes be more deadly than the external ones. This is indeed an important thing to keep in mind. A disgruntled employee could give strategic information to competition. It could even be done by an innocent employee 'unknowingly'. Both cases are equally dangerous and need to be tackled differently.
Importance of policies
Like we mentioned above, internal threats are equally if not more dangerous than external ones. One way to combat them is by having the right set of policies. As Internet is where the maximum threats come in from, an Internet access policy is a must. A majority of our respondents had an Internet access policy in place. As internal threats from employees are also significant, you need policies for using desktops, servers, and applications. These should govern how employees should use their desktops, what they can or can't do on it. How should they access the servers and applications, and what should the not attempt to access. Detailed guidelines on these, along with proper training on the same are very important. So the next major set of respondents had policies for desktop, server, and application usage.
| Security policies in place* |
 |
| * Note: The values don't add upto 100 per cent as most of the CIOs had multiple security policies |
Spam, phishing, and virus attacks come largely via email these days. While you do need anti-phishing, anti-virus, and anti-spam tools to combat them, you also need the right set of policies. Half your worries of threats coming via this channel will be gone if an email usage policy is put into effect. Around 76 per cent of our respondents had one. Patch and update management and network access control policies were up next. While these may not be something that requires employee training, they're important. You need to define access policies so that you have control over who can access what on the network. Moreover, this needs to be done not only for people, but also applications and services. Many threats can creep into the network through open ports, and therefore need to be kept at bay. We've already done a story on patch and update management, and it threw up a lot of interesting facts. For instance, you must test all your patches on a test system before applying them to the production system.
| What action does your organization take if an employee is caught stealing sensitive data or attempting to hack into a critical server? |
 |
|
Employee is given a warning
the first time. If action is repeated,
the employee is sacked 31 per cent
|
Interestingly, one policy that slightly more than half of the respondents had was for compliance. This is surprising because one would assume that just about everyone would have it. Possibly that's why a majority of them are spending time on ensuring compliance and adherence to policies. Or is it that there's no compliance policy in place, due to which unwarranted time is being spent on it? The latter can be dangerous and unproductive.
| How frequently do you conduct security training programs for your employees? |
 |
Key elements of a security policy
Having security policies is one thing, but ensuring that they're always updated is equally important. How frequently do you do it? Have you on an average fixed a time for doing the updating? If not, then maybe it's time you did. A majority of our respondents said that they update their security policies once a year. Another set of people said they do it every six months. Very few said that they do it more frequently than that. Whatever the frequency you're following, there are certain things to keep in mind when drafting security policies, according to our respondents. We received lots of inputs on what should the key elements of every security policy should be. Have a clear list of do's and don'ts in your policies came up as a major element of a security policy. This has to be accepted, and a commitment taken from the top level to enforce this. In case there's a breach, then penalties must also be defined. A clear definition of what is a security violation needs to be put down, along with penalties for violating the same.
We'll talk more about penalties later in this story. Incident management procedures are another critical element that a security policy should contain. One more interesting response was that there has to be an HR policy on information security. It has to be business oriented and therefore driven from the top. Moreover, a policy must not be theoretical, meaning whatever's put down must be implementable. Having strong passwords is a must, and more important is that users should be aware of keeping their passwords secret. Besides making passwords difficult to remember, users must not share them with anybody. Lastly, one key element that every security policy must contain is adherence to legal/statutory requirements. Some of the security standards that our respondents were following included Serbanes-Oxeley, COBIT, ISO 27001, BS7799, BS15000, and even 168-bit encryption.
| Level of difficulty in convincing top management for investing in security solutions |
 |
Importance of training
All policies are a waste if the people who need to follow them are not even aware of them. Thankfully, 62 per cent of our respondents said that they conduct training programs on code of ethics and security policies for their users. The concern was that the remaining 38 per cent did not conduct such a program. Of those who do conduct training programs, a majority use a mix of in house and external consultants for the job. Training or no training, what if you catch an employee stealing sensitive data or attempting to hack into a critical server? What action do you take? About 14 per cent of our respondents said that they would take legal action immediately. Another 24 per cent said they sack the person on the spot. Another 31 per cent were slightly more benevolent and gave a warning to the person first. If the action was repeated, then the person was sacked. What action do you take in your organization? Your security strategy must define it very clearly. Speaking of security breaches and hacking, it is said that 'attack is the best form of
defense' in the world of security. If you want to know how strong your network security is, you use hacking tools to test its strength. Unfortunately, we didn't get a swiping 'yes' to this question. The answer was split almost equally between a 'yes' and a 'no' amongst the respondents.
| Satisfaction level with security vendors |
 |
| Your security setup is managed by? |
 |
Issues with vendors
We asked our respondents whether they were satisfied by the service offered by their security vendors. We didn't get an overwhelming answer for 'completely satisfied'. On a scale of 1 to 5, most of the response was equally split between 2, 3, and 4. The reasons for dissatisfaction were many, ranging from lack of skills on the vendor's part to lack of proactive response. While there can be many concerns from vendors, one thing is clear that they must be skilled enough to handle security issues of their customers.
Source: PCQuest
|
