Growing IT and physical risks and emerging regulatory requirements are transforming the manner in which security functions need to be viewed, implemented and managed, said executives at the SecurIT 2003 Summit this week.
For instance, it is becoming increasingly important for companies to look at IT and physical threats from a common, unified risk-management perspective, said Dennis Treece, director of corporate security at the Massachusetts Port Authority in Boston.
As one of the executives in charge of securing Boston's Logan International Airport, three seaports and a major toll bridge, Treece is focused primarily on physical infrastructure protection. But he also oversees the IT side as well, sitting in, for example, on all meetings regarding the implementation of a new Gigabit Ethernet campus LAN at Logan Airport.
Such unified oversight of security functions is not only necessary, but inevitable, he said. "At the end the day, the board is going to see no difference between network and physical security. There's going to be a single security budget line item. It's all the same risk," he said.
The need to comply with emerging privacy regulations and other laws also means that IT security organizations will have to collaborate better with other corporate functions such as legal, audit and human resources, said Robert Degen, senior vice president of corporate security at First Data Corp. in Englewood, Colo.
Such alliances will become crucial in securing the money and support needed to implement enterprisewide security in future, he said.
"You can't go it alone like a Don Quixote," said Degen, who, like Treece, oversees both IT and physical security for First Data. Degen reports to First Data's chief auditing officer, an arrangement that he said has allowed security to remain a top issue at the board level.
It is crucial for security executives to be proactive in overcoming notions of security as an expensive and non-revenue-generating function, users said. And that means being able to put a dollar value on risk as much as possible, especially at a time when IT spending overall has been considerably tightened, Treece said.
Jude Ogunleye, a systems administrator at Cascade Natural Gas Corp. in Seattle, is thinking of getting his company's network tested and analyzed by a third party to highlight weaknesses that could be exploited in future. The idea is to demonstrate just "how much money you can lose with a downtime," he said.
While getting funding for security initiatives is easier than it was a few years ago, "a business case for information security will most likely still have to be made in almost all organizations if drastic changes in funding or staffing are expected," said Jason Witty, director of global security architecture at Aon Services Corp., a subsidiary of the $8 billion Aon Corp. in Chicago.
That means "companies need to understand their risks, prioritize them based on their corporate risk tolerance and then craft budgets and plans to both manage those risks appropriately and to measure how well the risks were handled," he said.
The use of statistics, live demonstrations showing how easy it is to compromise data, recitation of regulatory requirements, presentation of internal metrics and measurements that depict infosecurity problems that must be solved are all ways of securing what is needed for security, he said.
To get upper management's approval for the resources needed for security, Witty recommended using statistics, giving demonstrations showing how easy it is to compromise data, explaining regulatory requirements and presenting internal measurements that depict infosecurity problems that must be solved.
The value of clearly articulating security concerns at high levels is crucial, Degen said. First Data's infosecurity team, for instance, managed to persuade management of the need to build "firebreaks" between the networks of several of the companies it has acquired over the years. The security measure was approved even though it ran somewhat counter to the company's corporate goal of building a seamless and unified network.
"Security organizations will need to be in the face of senior executives and board members in the near future," said Bruce Azuma, corporate director of IT at Wilbert Inc., a holding company in the funeral services and industrial plastics businesses. The heightened awareness about IT and physical risks has broadened the company's approach to security.
Instead of virus protection and network management, the focus these days is more on intrusion prevention, physical security and disaster recoverability. Security executives "need to be reminding high-level folks of the business exposure they have if tight security measures are not taken," Azuma said.