Risk management seen as key to IT security

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,90987,00.html

By Kathleen Melymuka 
MARCH 10, 2004 
COMPUTERWORLD

PALM DESERT, Calif. -- In IT security, emotional reactions, panic and
legislation are counterproductive. But intelligent risk management can
enable organizations to face an uncertain future optimistically.  
That was the message from Merrill Lynch & Co.'s security chief to
attendees at Computerworld's Premier 100 IT Leaders Conference here
yesterday.

David Bauer, first vice president and chief information security and
privacy officer at Merrill Lynch, gave his audience a historical
perspective on the evolution of IT security, starting with the Morris
worm attack of 1988. That attack took the Internet by surprise, he
said. There were no tools to fight back and no source of reliable
information. Responses were uncoordinated, and the result was
"complete havoc," Bauer said.

He contrasted that with the Mydoom attack last month, when Merrill
Lynch combined good tools with a coordinated and carefully planned
response to understand and contain the threat after just one
infection. That attack, he said, was "just another event."

"The difference between then and now is tremendous," Bauer said, "and
preparation is the key." Preparation requires a focus on risk
management, intelligence-driven prevention and response, security at
the data-object level and a focus on both the corporation and the
individual consumer of technology.

"It's easy to get somebody's password, so make the damage that can be
done by an individual as small as possible," he said.

Bauer also suggested that, since IT security is fundamentally a
technology problem, it should be handled within the IT operation.

Merrill Lynch's IT security strategy is built around strong
organization; threat management, including intelligence, planning and
instant response; comprehensive security services; attention to public
policy, including active attempts to educate legislators; and agile
response to the changing risk environment, he said.

A key component of that strategy is dynamic risk assessment. Using
tools such as scanners, log analysis, risk metrics and asset
inventory, Merrill Lynch's security group produces a biweekly security
brief analyzing and prioritizing current threats. "That allows us to
go from a circle-the-wagons approach to intelligent risk management,"  
Bauer said.

In response to audience questions, Bauer said that as a percentage of
the IT budget, Merrill Lynch's security service costs less than that
of any competitors. "It's not about how much you spend but how well
you spend it," he said. "We're not making vendors rich, but if we buy
something, we use it."

He also noted that about half of his spending is advisory, helping the
company build secure systems, while the rest goes toward risk
management, prevention and response.

Bauer addressed the problem of legislation, which he said drives up
costs and takes resources away from actual risk mitigation. "Part of
our strategy is our Legislative Watch," he said. "We try to keep ahead
of legislators and influence them, if not to cancel legislation at
least to word it properly." He urged all corporations to do the same.

Looking ahead, Bauer predicts that the threat picture will be
"interesting." But with defenses built around thoughtful planning, he
said, "I'm optimistic about our chances for success."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.