ALKHOBAR, 14 December 2004 — Mike Small, the director of Security Strategy for Computer Associates, Europe, Middle East and Africa (EMEA), is speaking this week at the Information Systems Audit and Control Association (ISACA) Computer Audit, Control and Security (CACS) conference and the Middle East ITSEC conference in Dubai. If you couldn’t make it there, never fear. In order to share his thoughts and advice with corporate managers and IT professionals in the Gulf’s largest market, Saudi Arabia, CA’s EMEA security chief gave an exclusive interview to Arab News before arriving in the region.
“I think that the security industry in general and IT security in particular has been very, very poor at communicating to business people what the risk is and what the benefits of investing in security might be,” said Small. “This is really problem No. 1. Unless you as an organization really understand what it is that you stand to lose and in terms of business the reasons why you need to secure things, then you’re wasting your money. Very few businesses nowadays can actually survive without their IT systems. IT systems have become increasingly important even to small businesses. Imagine that something happened that disabled all of your desktops. And imagine what the consequences would be to your business. So, I think the first thing that managers of companies, large and small, have to do is to go through and understand what their needs are, what vulnerabilities they have and what the threats are at a business level, rather than at a technology level.”
Once executives have made a thorough assessment of their company’s needs, threats and vulnerabilities, then they must go back to what Small calls the “three cornerstones of security” — confidentiality, integrity and availability.
“Various studies have shown that for most organizations the most critical of those is in fact availability,” Small commented. “That is to say, assurance of business continuity. The next most important thing is usually either confidentiality or integrity and that refers to the data that you hold. Integrity means keeping the data as it should be, being sure that nobody has tampered with it. If it is possible for people to interfere with what your business records are then that is in fact a risk.”
Small also advised that there is not a pure technology solution that covers everything an organization needs for information security management. Additionally if IT resource availability is essential, then not only do organizations need to guard against threats and security risks but companies also must be certain that their systems are running properly and that all elements are in place to keep the systems up and running. Small suggested that all organizations refer to the international standard for Information Security Management ISO 17799 in order to survey their information security management needs.
“ISO 17799 sets out 127 controls that you can actually set up in order to ensure the information security management of your organization,” Small said. “Look over those 127 topics with a security consultant and see which ones matter to your business. You may not be concerned about cryptography or network security on a Wide Area Network because you don’t have that kind of thing. But you may well be concerned with personnel security. When you get down to it, you’re going to have to find the balance between people, process and technology which best suits your organization.”
The foundations of good corporate information security management Small explained are authentication, authorization, administration, auditing and technology. A company must recognize who its employees are. Then that firm must decide what those employees are allowed to do. Next the employees must be given the rights to do those activities (or have them revoked) and finally there must be auditing to know who has what abilities.
After controlling the individuals using corporate IT resources, Small pointed out that it is essential to have a good inventory of all the technology owned and used by an organization, both hardware and software. This should be done to the extent of knowing in quite considerable detail on the software side what the patch levels and configurations are.
“It is also necessary to have some understanding of what vulnerabilities exist in your IT and that can be very difficult for a small company. Much of the information collected on vulnerabilities is highly technical and beyond the ability of a single individual in a small company to keep up-to-date with,” Small said. “In order to deal with this situation it is necessary for small and medium-sized firms to buy into a service that gives you a feed into what these vulnerabilities are and provides an automatic way of checking whether or not your systems have been patched or otherwise protected. By comparing assets and protection levels, company managers can easily find out where the vulnerabilities are and can prioritize how to bring in remediation and decide what the fix is.”
Much about the nuts and bolts of information security management is straightforward. However, Small reminded all executives to beware of the three M’s – malice, misuse and mistakes. These are the types of threats that can be caused by human interaction with IT and can lead to a loss of business. He said with a gentle smile that while malice tended to get the most attention from the media, misuse and mistakes (also known as stupidity) associated with IT had a long history of causing far more financial damage.
“Decide what aspects of information security management are important to your company,” concluded Small. “Learn how to manage the operational risks presented by IT. Only then look into purchasing information security technologies.”
(Comments to [email protected].)
