Just 30 minutes a year stand between full security for the Australian Taxation Office and the risks it will face in the coming 12 months.
That's the window of opportunity Michael Hirschfeld, ATO's director of technology security, has to discuss with the agency's senior management the IT risks the department will need to address during the next year. Futhermore, in that slim time frame, Hirschfeld shares the floor with colleagues dealing with physical security matters.
So for Hirschfeld, it is critical to keep the discussion focused and "hit them in their business pocket".
"There is a real risk of scare mongering. It's important to know how to brief senior management," he said. "You don't want to be seen as the boy who cried wolf."
Hirschfeld, speaking on risk management at the SecurIT 2002 Conference in Sydney this week, shoulders the task of maintaining a "monstrously" secure environment for the ATO.
"When you're up to your arse in alligators, it is difficult to remember that the original objective was to drain the swamp," Hirschfeld said. "This is IT security in a nutshell.
"We work in an industry that is always changing, and the task [of securing systems against risk] is never done. New risks present themselves on a daily basis."
Hirschfeld said the examples of "alligators" that IT security faces include viruses, denial of service attacks, setting up encryption on internal networks, virtual private networks, mobile computing and access control.
Making IT security a business objective for senior management is one of Hirchfeld's long-term objectives; and it places even more pressure on IT to deliver.
"IT security is only partly a technology problem. It is far more a people problem and you need management strategies to mitigate those risks," Hirschfeld said.
"As risks increase we have to rely more and more on the technology available to us. It's a Catch 22 situation. There has to be patches put in place and diagnostics run to tell if we are up to date with vulnerabilities and securing systems. There is no way that a human being could do all that without technology," he said.
Additionally, Hirschfeld said, IT security resources are poor.
"It is hard to get good [IT security] staff in the public sector. The private sector snaps them up and we can't match their salaries."