Advertisment

There is serious threat from within

author-image
CIOL Bureau
Updated On
New Update

Hugh Penri-Williams is a veteran in IT security domain with close to 30 years experience in information security, with particular interest in financial, operational and information systems audits and special investigations including fraud.

Advertisment

Currently working as Chief Information Security Officer (CISO) at Alcatel, Hugh is a prolific presenter and trainer, mainly in India, on IT security issues. His current responsibilities include establishing effective information security policies, procedures and practices to safeguard Alcatel's information and computing assets. He also contributes to the prevention, detection and investigation of fraud and promotes all aspects of business continuity.

Hugh was appointed Information Security Forum (ISF),Chairman in March 2006 and is a Director on the Board of ISF Ltd. The ISF is an international member-owned body that harnesses the knowledge and experience of its Members to fund, drive and develop practical research on information security

In an exclusive interview with Idhries Ahmad of CIOL, Hugh gives insights about the ISF, the security threats confronting enterprises and the role of CISO.

Advertisment

Please give a little brief about Information Security Forum. How does ISF help in mitigating the security concerns of enterprises?

The Information Security Forum is an independent, not-for-profit organization, established in 1989. The Information Security Forum, ISF, is recognized as the world's leading Information Security organization and independent industry authority.

Current ISF projects focus on a wide range of issues including security and legislation, identity management, phishing, patch management, information risk, VoIP and the disappearance of the network boundary.

Advertisment

Another key activity of the ISF is its comprehensive bi-annual Information Security Status Survey delivering a ‘real world' analysis and understanding of information risk and the causes and impact of security incidents. This includes coverage of topics such as intrusion detection, e-mail security, broadband and wireless communications, PDAs and computer forensics as well as building on other standards such as ISO 17799 and COBIT.

You are a strong proponent of industry wide security standards. What is the importance of security standards and best practices in maintaining enterprise security?

Security standards always work fine when they are industry wide rather than used in isolated islands. Without standards, and the associated discipline required to implement them, organizations would be in extremely difficult situation when trying to protect themselves from harm. Standards are the fabric that binds together our approach on how best to safeguard an organization’s assets.

Advertisment

It is really difficult as everyone comes out with his or her own security standards. There are close to 20 different security certifications, which is making it extremely difficult for the IT community to decide which one to choose from and why. We at ISF are prompting interaction among members and other like minded bodies to reach to some level of harmonization in IT security standards in the industry.

What are the most critical security threats that enterprises face and they need to be prepared for?

Contrary to common belief, insiders rather than external hackers pose the most serious threats to an organization’s assets. This is because insiders have extensive knowledge about their environment, ample opportunity and probably access to resources, and often motivation stemming from impending layoffs or, in their eyes, lack of recognition and reward. Why, their employer even pays them whilst they are possibly engaged in creating harm! And the absence of IT security policies within the enterprise amplifies the risk manifold that results in many threats creeping into the enterprises resulting in loss of productivity.

Advertisment

Also remote access to enterprise network also expose the enterprise networks to security threats. CISO need to continually do risk assessment so as to check on the threats and attacks that confront the enterprise networks. Security is not at time investment. It is a continual process and one should always look out for any attacks and be prepared for any eventuality.

There are many instances when security issues crop up because of vulnerabilities in the software. How do you look at this? Don't you think software owners should own up to these security breaches if any enterprise encounters?

It really is amazing that the software industry has somehow managed to escape the quality and safety rigors applied to practically every other kind of product ranging from cars to cottage cheese. But the situation is what it is so we have to cope as best we can to find ways of identifying the flaws and then limiting the potential damage stemming there from. This is where the ISF plays a major role by promoting tried & tested solutions distilled from amongst its diverse membership.

Advertisment

You are quite pessimistic about the current state of information security. Your quote “ I don't think we're in any better shape now than we were 20 years ago. In fact, we're in worse shape", exemplifies that. Why is that so?

The number and nature of threats is increasing at a faster pace than our ability to parry them. This is primarily driven by the endemic imperfections in software cited above, the continuous emergence of devices with ever more technical wizardry and their increasing affordability. All of these factors are just what the doctor ordered for certain people itching to exploit those flaws. Take for example latest communication technologies like Bluetooth, WiFi or Wimax. Though they have got the advantage of accessing information remotely, it also has its share of danger with hackers waiting to intercept the data and use it for their own nefarious designs. We have always ready with security plans with regards to emerging technologies and that is very demanding.

You talked about how to continually invest in updating your security shields against emerging threats. But that costs money and it is very difficult for CISO or CIO to convince the management to outline a recurring budget for security of an enterprise. How can a CIO convince the management to give money for a threat which exists but hasn't struck them in the past.

Advertisment

Ans. It is really a very difficult situation for any CIO or CISO to ask for money from management to prepare shield against security threats. But it is not that difficult as it was some years ago. CEOs are now more aware about the security threats confronting enterprises and are more than willing to lend an ear to CISO about the emerging threats. The recent news of attacks by on enterprises by hackers has actually made the task on CIO's much easier to convince the management for investment.

However I feel that CIO's have to convince the management the benefits of implementing a security set-up in an enterprise. How it can save the company's information and intellectual property that are more valuable to companies today than in the past, and therefore need a higher level of protection. Rather than scaring them about what will happen and what not if they are not doing what he wants them to do. Continually communicate with management and keep them updated as to what is happening in the industry and how they need to plan to them. Don't sound a geek. Communicate in a simple clear language.

The approach has to be positive one rather than a negative.

You come to India often, how do you find the security preparedness in Indian enterprises. Do they comply with latest security industry prevalent in industry?

Ans. It is not a question of will they comply with international security standards or not. They have to. The threat to information systems is universal. Data is as vulnerable in India as it is in other countries. They have no choice because they are working in globalized set-up and are expected to conform to international security standards. And in my interaction with Indian enterprises, I have found that Indian enterprises are quite conscious of security standards and are implementing them continually. The security preparedness of the enterprises is as good if not better if compared to global counterparts. The budget allocated to IT security clearly elucidates this pint. However small enterprises need to work more on security in their networks.

One of the biggest problems for an enterprise is how to foresee a threat and come up with a solution? How can an enterprise be able to do that consistently?

I wish the ISF, or anybody for that matter, was able to invent an early warning system for hitherto unknown threats so that we could be better prepared to meet them head-on with confidence and impunity. Nevertheless, we do make best efforts in this respect, for example, experts from some 40-member organizations, including my own, contributed to ISF's Securing VoIP Future Watch Report.

Emerging technologies such as mobiles, VoIP etc come with new set of security issues like SPIT. How can enterprise save from such type of threats?

With VoIP now poised to hit the business market in a big way, ISF believes that failure to address these serious risks may bring voice communications to a grinding halt and result in identify theft and loss of sensitive information. An often-used paraphrase for early adopters of newest technologies is that they are at the ‘bleeding edge'. Well, the ISF is there for its members with antiseptic, Band-Aids and ointment ( not ‘snake oil', I hasten to clarify) to reduce that pain and suffering as best we can. ISF's secure Member Exchange (MX2) website enables them to rapidly seek remedies from fellow members by posting issues of urgent concern, which is of growing importance for their ability to react in a timely and effective manner.

What are the qualities that make a successful CSO/CISO?

Every CSO/CISO should be honest, have integrity, possess good communication skills, gravitas, passion for the job, be a good team player, have good sense of humor, Good team player, be thick skinned and have the bounce-back ability

Although it might be expected that there would be a strong emphasis on setting strategy, planning and goal-orientation the personal qualities that emerge from an analysis of input from CISOs are characteristic of highly interactive, socially skilled individuals. Honesty, integrity, team working, passion and gravitas are all highly valued personal qualities in general business management and, crucially, all considered necessary for effective communication and leadership.

Sense of humor, being thick skinned and being able to bounce back from adversity are all laudable personal qualities that are considered necessary to survive in the rough-and-tumble of a more competitive general management role – where other competitive and ambitious ‘C' level grade staff are the natural peer and comparison group.”

What sort of awareness campaign do you have at Alcatel where employees are aware about the security concerns confronting the company?

Every year Alcatel celebrates Information Security Day on its Intranet across all its locations by making available interviews with senior management about why information security is important; creating a quiz with prizes; showing videos explaining threats like, for example, social engineering and how to counter them; providing a free, on-line awareness training course in several languages; best practice guidance leaflets; and pointers to the various policies and standards that apply to particular topics.

 CIOL Bureau