Carl Sagan might tell you, were he still alive, that security has been a pre-occupation of all life ever since a glob of gloop built the first cell wall.
However, as the citizens of Troy might attest, a wall may provide defence, but defence does not mean security.
We like to secure two things — our physical selves and our possessions. Security was once all about having stone walls and soldiers between you and your possessions on one side and the outside world on the other.
Even then, the stone walls themselves offered little security. Instead, the security rested on the discipline of your guards. Were they alert, did they walk the walls, or sit and play cards; were they loyal, motivated, trained?
You had to keep them fed and paid. They in turn had to feel that their families were safe under your protection. Security then was always about much more than stone and steel.
Security was about process, logistics and operations management.
Today, security is no different — except the possessions are not gold and gems but information — either intellectual property or commercial-in-confidence — and the self is no longer a throne but a corporation.
Attack comes in many forms.
Viruses can be mindless random events that wreak havoc or intelligent agents seeking particular targets.
Hackers are now often deliberate — seeking gold in the form of customer credit and banking details — or particular commercial-in-confidence files.
Gartner says that random hacker attacks are in decline — they suggest there are now so many more interesting things to do on the Internet that the vandals are distracted. There is also internal attack in the form of rogue or dim-witted staff that can use e-mail, FTP or sneaker net to transfer information to the outside.
Staff can also cause massive damage through misuse of technology. E-mails containing sexually explicit, racially offensive or commercially wrong or misleading information can expose a company to massive lawsuits.
Physical disaster is still a risk — terrorist attack, earthquake, or even a car accident causing a power failure.
And the rate at which incidents are occurring is picking up. In 1992 CERT reported 773 security incidents on America’s collective corporate and government IT infrastructure.
In 1992 the number of incidents had jumped to 82,094 — with more than 42,000 in the first quarter of 2003. Also, large organisations based in major cities must be at least aware of increased risks associated with civil emergencies — such as the spate of terrorist attacks following on from September 11.
Hence the enterprise IT manager has long stopped viewing security as a technology issue — but rather as a risk management.
But risk management is all about weighing up the chances of an unwanted event against the damage done should that event occur.
From an IT perspective, there has been an exponential growth in risk as businesses have become increasingly dependent on IT systems — and the cost of a catastrophic system loss is now verging on incalculable.
Most business now relies almost completely on the processes that technology automates and the data which technology manages.
Severe complexity arises on several fronts. Rarely is anything removed — just copied, so you may not know anything has happened.
Attacks happen in cyberspace — so you cannot see anything happening.
Events happen covertly in a transaction-rich environment — spotting that one rogue transaction out of millions is difficult.
At a product level, a plethora of vendors market their wares against a security backdrop — routers, firewalls, antivirus, directory management, content scanning software, PKI, biometrics...
However, it is not the product, but the process people that are taking centre stage in the calculations of enterprise IT security managers.
Randall Dennings, National Compliance Team Leader with law firm Clayton Utz, works with dozens of major corporate clients to manage corporate security issues.
“We know that if you put in place a state-of-the-art IT system it will block 99 per cent of events — but 1 per cent will get through,” Dennings says. “At that point you have to have a defence against the repercussions, no matter if they come from your customers, a director, your CEO or the Law.”
The issue is that unless you can guarantee the system is secure from any breach whatsoever in its service obligations to its corporation — there needs to be contingency plans.
Security therefore is about doing your best to stop breaches but then managing breaches when they occur. “Security is a due diligence issue,” Dennings says. “You have to show you have a system that is distinct from relying on a single person to spot something amiss.”
The trend toward treating security as a business process issue is gathering pace, he said.
“One lark said September 11 changed the world forever for about a month,” Dennings says, “but in fact it did drive change — it meant that CEOs and boards of directors now take business continuity planning seriously.”
This change means IT systems security has become a strategic enterprise issue — not an issue managed through the tactical application of product technology.
“I am yet to see a business continuity planning strategy that does not include at its heart a key IT executive and at least half the budget allocated to IT-based planning,” Dennings says.
“The IT infrastructure represents the brain of the organisation — you can’t piece a nervous system back together — you have to have another one ready to go.”
Planning also involves a lot of simulation testing.
According to Dennings, one major Australian corporation recently went so far as to throw the switch — albeit in a non-peak period — just to see what would happen.
“Only half a dozen people around the CEO knew an event like this was even planned,” Dennings said.
“It was a major corporation with 24-hour call centres and operations.”