Corporate IT risks and physical threats are changing security deployment

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,81444,00.html

By JAIKUMAR VIJAYAN 
MAY 22, 2003
Computerworld 

PHOENIX -- Growing IT and physical risks and emerging regulatory 
requirements are transforming the manner in which security functions 
need to be viewed, implemented and managed, said executives at the 
SecurIT 2003 Summit here this week. 

For instance, it is becoming increasingly important for companies to 
look at IT and physical threats from a common, unified risk-management 
perspective, said Dennis Treece, director of corporate security at the 
Massachusetts Port Authority in Boston. 

As one of the executives in charge of securing Boston's Logan 
International Airport, three seaports and a major toll bridge, Treece 
is focused primarily on physical infrastructure protection. But he 
also oversees the IT side as well, sitting in, for example, on all 
meetings regarding the implementation of a new Gigabit Ethernet campus 
LAN at Logan Airport. 

Such unified oversight of security functions is not only necessary, 
but inevitable, he said. "At the end the day, the board is going to 
see no difference between network and physical security. There's going 
to be a single security budget line item. It's all the same risk," he 
said. 

The need to comply with emerging privacy regulations and other laws 
also means that IT security organizations will have to collaborate 
better with other corporate functions such as legal, audit and human 
resources, said Robert Degen, senior vice president of corporate 
security at First Data Corp. in Englewood, Colo. 

Such alliances will become crucial in securing the money and support 
needed to implement enterprisewide security in future, he said. 

"You can't go it alone like a Don Quixote," said Degen, who, like 
Treece, oversees both IT and physical security for First Data. Degen 
reports to First Data's chief auditing officer, an arrangement that he 
said has allowed security to remain a top issue at the board level. 

It is crucial for security executives to be proactive in overcoming 
notions of security as an expensive and non-revenue-generating 
function, users said. And that means being able to put a dollar value 
on risk as much as possible, especially at a time when IT spending 
overall has been considerably tightened, Treece said. 

Jude Ogunleye, a systems administrator at Cascade Natural Gas Corp. in 
Seattle, is thinking of getting his company's network tested and 
analyzed by a third party to highlight weaknesses that could be 
exploited in future. The idea is to demonstrate just "how much money 
you can lose with a downtime," he said. 

While getting funding for security initiatives is easier than it was a 
few years ago, "a business case for information security will most 
likely still have to be made in almost all organizations if drastic 
changes in funding or staffing are expected," said Jason Witty, 
director of global security architecture at Aon Services Corp., a 
subsidiary of the $8 billion Aon Corp. in Chicago. 

That means "companies need to understand their risks, prioritize them 
based on their corporate risk tolerance and then craft budgets and 
plans to both manage those risks appropriately and to measure how well 
the risks were handled," he said. 

The use of statistics, live demonstrations showing how easy it is to 
compromise data, recitation of regulatory requirements, presentation 
of internal metrics and measurements that depict infosecurity problems 
that must be solved are all ways of securing what is needed for 
security, he said. 

To get upper management's approval for the resources needed for 
security, Witty recommended using statistics, giving demonstrations 
showing how easy it is to compromise data, explaining regulatory 
requirements and presenting internal measurements that depict 
infosecurity problems that must be solved. 

The value of clearly articulating security concerns at high levels is 
crucial, Degen said. First Data's infosecurity team, for instance, 
managed to persuade management of the need to build "firebreaks" 
between the networks of several of the companies it has acquired over 
the years. The security measure was approved even though it ran 
somewhat counter to the company's corporate goal of building a 
seamless and unified network. 

"Security organizations will need to be in the face of senior 
executives and board members in the near future," said Bruce Azuma, 
corporate director of IT at Wilbert Inc., a holding company in the 
funeral services and industrial plastics businesses. The heightened 
awareness about IT and physical risks has broadened the company's 
approach to security. 

Instead of virus protection and network management, the focus these 
days is more on intrusion prevention, physical security and disaster 
recoverability. Security executives "need to be reminding high-level 
folks of the business exposure they have if tight security measures 
are not taken," Azuma said. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.