ALKHOBAR, 29 March 2005 — This job has its advantages, I do agree. My office is stacked with free pens and complimentary calendars. The huge amount of e-mail I receive daily means that I never have time to feel lonely. And the last time I had to pick up the tab in a coffee shop was Sept. 27, 1989. While all these perks are grand, I must admit that there is an even greater benefit to a career as a journalist.
The truth is that I keep doing this job because of all the incredible people I get to meet. As a journalist I can walk up to anyone and ask to chat. I don’t have to know the person. I don’t need a formal introduction. Most people require hardly any explanation before answering my questions. It’s amazing.
In my career I have been truly blessed by the number of outstanding individuals who have agreed to sit down and talk with me. That’s how I met Professor Fred Piper. I encountered him in Athens at a conference where he was speaking, asked him to join me for a cup of tea — and he did.
Piper obtained a First Class Honors degree in Mathematics at Imperial College (University of London) in 1962 followed by a PhD in 1964. He became a Professor of Mathematics at the University of London in 1975 and has worked in IT security since 1979. He is currently director of the Royal Holloway Information Security Group (University of London) that was awarded the Queen’s Anniversary Prize for Higher and Further Education in 1998.
In addition to all of that, Piper has published over 100 research papers, six books and is on the editorial boards of two international journals. He has also supervised over 50 Ph.D. students, has lectured worldwide on a wide range of topics in information security and has received numerous awards. In other words, in the area of information security this man is a legend.
But the average observer wouldn’t know that by his appearance or manner. Piper dresses down. He doesn’t own a mobile telephone. He admits to not reading or answering e-mail. He scratches all his important ideas onto an ordinary yellow lined pad of paper, which in Athens he left absent mindedly at the hotel’s front desk during checkout. In fact, the only way one might get a clue as to the high regard accorded Piper is by seeing an audience of young IT professionals give him a standing ovation as he is introduced to speak.
When Piper discusses IT Security he doesn’t use jargon or industry gobbledygook. He lays out his thoughts in plain English that a 10-year-old could understand. He says that he sees no need to make IT Security more mystifying to people than it already is.
“I’m an educationalist and I believe that people must understand the overall picture first,” said Piper. “Awareness and training are crucial to everything in information security. They are central to small businesses, large businesses — everybody. Once you’re aware of what information security is and the possible threats to your company or organization’s information, planning to protect that information involves taking a long-term strategic view together with the shorter tactical view. For both of them the first requirement is to know what you’re doing and why. Following trends, buying equipment and wondering what you’re going to do with it after you’ve bought it is just crazy. Analyze the threats to your information security. Be sure you know what’s going on and then basically just make a strategic plan.”
Piper explained that the trend globally is to make information security a fundamental part of business practices.
“Directors of companies have to be responsible for the security policy of their companies and of being able to assure the auditors that their so called ‘security experts’ are knowledgeable,” he pointed out. “For this those security experts need some form of qualification. The obvious thing from our perspective are the Master’s programs in Information Security, in which we claim to have the best. Yes, they do involve coming to the UK and they do involve investment of a year of people’s time. It is quite an investment. It certainly is a strategic investment.”
Not everyone who would like to earn such a degree can invest in a year of study abroad. For this reason the University of London started a distance learning program, which can be done from any country. According to Piper, it is a much harder way to do the degree and it is a recent innovation since it was only introduced last year, but already 100 people have registered for the program.
“It should not be thought that this degree is for IT graduates only,” emphasized Piper. “Roughly a third of our students are business people, without IT degrees. There is a need to be computer literate but that’s about all. It is a Master’s program because of the breadth it offers not because of the depth. It covers management, hardware, policies and strategies. For example, take me. I run this program. I understand the need for antivirus in a network. I can tell you what a virus is but I couldn’t write a virus and I wouldn’t want to. I’m not interested in that technical side.”
Managers at the senior level generally cannot devote the time required to earning advanced university degrees. For this reason Piper encourages local chambers of commerce and other agencies to bring experts in to offer short classes on information security. He noted that grouping 20 people together for a week-long seminar more than covers the costs and greatly raises the awareness level in the area of information security among the attendees.
“This is essential because even in Britain surveys have found that over half the companies don’t have a security policy,” stated Piper. “Companies don’t take the business case for information security seriously. Their management claims that it’s an expense they can’t afford. The big problem everywhere is that investing in security doesn’t bring positive income. If you are the company finance director, security is a sinkhole down which you pour money and often there’s no confidence that there is some return on that investment.”
In order to justify investment in information security, many companies have begun bringing in Piper to advise them on information security strategy.
“People need to learn to value their data,” he said. “Companies must perform risk analyses. Questions must be asked such as ‘What would happen if you lost access to this data for a day, a week, a year or forever?’ What is the obligation to your customers to look after this data? Eventually there is enough critical mass and enough companies are implementing information security so it becomes a part of the local business culture. The sad way for that process to be jumpstarted is for one company to suffer a disaster. That is the painful way for companies to learn the value of information security.”
While security has a cost, insecurity costs as well. Piper counseled that the trick is to minimize the pair.
“Honestly, there are instances where the best solution is to do nothing. Just risk it,” he said. “For example, let’s take a small shop that sells sweets and loses SR10 daily in petty shoplifting. Any solution to stop it will probably cost more than SR10 daily so it makes the best economic sense for the shop just to continue as they are. They must keep an eye on the theft to make sure it doesn’t increase, but it’s not worth installing cameras or employing a store detective. The danger is that the level of theft will increase because the shop gets known as an easy target.”
He concluded, “Small businesses at the struggle stage, that know the risks they are taking by not having information security may just cope for a while. But at least they are aware of the risks and can try to minimize them. That’s what information security awareness is about. Awareness doesn’t mean hiring a security consultant and then doing exactly what he tells you. Awareness means knowing the risks you are taking. A good information security adviser will never tell a company what risks are acceptable and what risks aren’t. The consultant tells you what the risks are and how those risks will change according to your investment in information security.”
* * *
(Comments to: [email protected].)
