/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow Us“Organizations should understand better on how to spend on security. Security is not all about firewall, antivirus software, etc. Proper security starts in the HR department. The HR should educate the employees about losing devices, handling and using different gadgets, etc.,” he told CyberMedia News.
Gemassmer was responding to a specific query on whether organizations should aim to spend less of their IT budgets on security, as suggested by John Pescatore, Gartner vice-president, at the analyst firm’s London IT Security Summit on 17 September.
Pescatore was mooting a model, which he termed as ‘Security 3.0’. “In this, IT security would anticipate threats, rather than fight them after they hit.”
With new threats being reported almost on a daily basis and analysts predicting more attacks in the offing, is security, as we have now, a journey without destination, as Pescatore said at the Summit?
Gemassmer offered a different view. “Security is an evolution that doesn’t stand still and we cannot be complacent about it. Security is not about technology; it’s about educating people. Security starts once a person joins the organization. He should understand the company’s security strategy.”
The Lumension vice president drew an example from the recent instance of hacking on the Bank of India Web site. Even though the site says it is now safe again, “customers will think twice before using the Net; some of them might even opt for another bank,” Gemassmer said adding that IT spend on security cannot be decreased on the face of rising threats.
Referring to a recent UK report that said 53 per cent of employees it interviewed admitted to stealing data, Gemassmer argued in favor of more mechanisms to avoid data theft.
“There should be more discovery mechanisms to detect what employees are carrying or doing. The organizations should build the necessary policy, enforce the policy and audit the policy,” he said.
Such mechanisms are necessary as there are a lot of free hacking tools available in the market. “Lots of people do not understand what a vulnerability is.” This help hackers to find loopholes,” Gemassmer observed.
Gartner estimated that more than 70 per cent of unauthorized access to information systems is committed by employees, as are more than 95 per cent of intrusions that result in significant financial losses.
However, Joanna Rutkowska, chief executive of Invisible Things Lab, puts the blame on technology. “Fixing the problem of stupid users doesn’t solve everything. I want technology that will allow me, as a savvy user, to feel secure,” and this is not available, she said at the Gartner Security Summit in London.
He also pointed at the delay in patching vulnerability. “It takes 60-90 days to patch,” Gemassmer said, adding this helps cyber criminals, who launch new attacks every day. “An effective patch management is needed now,” he said.
According to a May 2007 report published by the National Vulnerability Database, 24 new vulnerabilities are identified every day, more than half of which are considered dangerous enough to warrant immediate remediation by IT departments.
“Yes and no,” Gemassmer said when asked whether new legislations are required to fight cyber criminals. The governments’ roles should be limited to ensure that the companies are doing everything to protect themselves, as this would help customers. “As a customer, I have a right to know my data is safe.”
However, it is up to organizations to set up stringent measures to protect themselves. This is more applicable to India as it is “strategic in terms of the large number of BPO operations,” he said.
Lumension Security (formerly PatchLink Corp.) opened its India office in Mumbai this week. The Scottsdale, Arizona-based security management company plans to expand its India footprint to New Delhi and Bangalore shortly.