As a journalist at Computerworld Australia:
Convincing business executives to address information security issues can be a nightmare for some IT managers. Liz Tay speaks with management consultant Jed Simms, executive chairman of Capability Management, about communicating security risks in a business-savvy manner.
What are the security issues companies face?
We've got a barrage of issues. They [CEOs] have a mindset that just doesn't think about some types of risks. They can't conceive of people whose life is malicious hacking of networks, because it's not something they would ever do.
I used to be head of strategy for a bank, and was amazed when I learned that occasionally, a controller of ATMs (automatic teller machines) would go down so a group of ATMs would be disconnected from the mainframe and allow people to take some money out. People would find that out within half an hour and whole gangs of people would go with stolen cards and take money out. It's something that I'd never conceive of, that that sort of thing can happen.
I use that as an illustration that we need to educate senior management that there is this new world out there, and you can't just frighten [hackers] off using bits of hardware and equipment. And that's why this is a business issue.
Then you're talking about what degrees of freedom we're going to allow our people to have, and where we have to draw the boundaries, and we may have to redraw those, because sometimes we can draw them better.
In the case of one large organization, it had a lot of security to stop people from getting in with either illegal or unequipped devices, but once you're in, you could go virtually anywhere within the network. The company had a lot of outsource suppliers connected to the network, and because of security, it had to provide all the gear for them. But when we [implemented a system] where some areas are public, and some restricted, we had this far more gated network which actually led to the outsourced people coming with their own equipment, because they only had access to this little bit here.
So we reduced the cost for the company that was providing the network and actually increased its security by having a different way for it of doing business and how security and risk management were actually impeding how they make money.
What are the risks businesses face?
Through the whole transmission and management of information and the security of data access and transfer. You have people who may maliciously or inadvertently [infect the network]. One example is of a client's problems with people who were patching its PC or laptops. One woman connected to the network four PCs with essential patches the IT people didn't know about, and that's where a virus got into the whole company.
These people think they're saving a few thousand dollars by not using the official PCs, but cost the organization hundreds of thousands of dollars as a result. It's that risk awareness that is one of the hardest things to get organizations to understand.
Everyone talks risks, but they often talk about it in different ways - in terms of access and desktop management and all these other things - without really spelling out what the risk level is, and therefore what they need to do, or not do, to preserve the integrity of the network.
Do employees pose a great risk to an organization's data security?
We've done several surveys [on how disgruntled employees can compromise a company's security]. They come up with a whole range of avenues that they know are backdoor keys to certain databases.
There are mechanisms whereby you can sidestep the firewall, which may be put in for quite valid business reasons at the time, but of course companies don't look at what happens if someone leaves with that knowledge, and especially if they leave with bad feelings. That can create a real risk in the market.
There is a story about the Walker brothers who sold secrets to the Russians. They were in court because one of their ex-wives dobbed them in. [Laughs] so there's someone who had left and decided to get her revenge.
It's understanding that the risk may not be there today, but are you building it in for tomorrow.
How do you mitigate risks associated with people?
By making people aware of risks as a culture. One of the things we teach organizations is boundary control. You have to say, "These are the boundaries within which we can operate. This is where we draw the line, and if you do something that's dishonest, I don't care who you are, where you are, or whatever reason - you're out."
The management has to live it and breathe it.
What are, and how do you mitigate risks associated with hardware?
One of our clients was putting in place a highly duplicated network because it couldn't afford to let the systems to go down. I was a consultant in another organization that was reviewing this, and found an unsecured box outside the building [through which all networking cables ran]. I said, "There they are. Trap that box and you've just put the whole centre off air completely."
This is actually quite common, because people get a map in their minds of what they're trying to achieve and they miss the obvious.
Within the data centre, I remember a computer room which had one of these keypads to get in with a security key. And they'd written the code on the top, because they couldn't be bothered to remember it! [Laughs]
What are the top five security mistakes organizations make?
Firstly, underestimating the change in risks over the last five to 10 years. With the Internet came a whole new world, and while people say, at the back of their minds, "Yes, we know that", they're not actually doing a great deal about it.
The second aspect is that risk isn't high enough in the mental model of organizations. They're not thinking, and they're not building it into their culture. In a bank, you're more likely to find that credit risk is a much higher priority than information risk.
Third is probably that they haven't defined the law, they haven't defined boundaries. Organizations need to make sure they are looking at the whole picture, and address it as a business project, and say "How does this change how we do our business", and stop thinking about risks as this thing on the side.
Fourth are things like identity management. They're the classic, where in most organizations, most people have five, six, seven identities to log in to different systems. And it's been shown that where that happens, there's far more penetration into the business because when someone leaves, you might get [remove] six out of those seven, but you may not know they had access to that seventh system.
Technology has recently caught up where you can have a single login for multiple systems, but management doesn't see the value in that. That's because the IT people are looking at it as an IT identity management issue, rather than an operational issue, like "How do we secure and also make it easier for our staff to use what they have to, and also better control what they have access to."
IT people are also part of the problem in that they often think too narrowly about the technology they try to put in rather than the implication and benefits they're actually bringing to the organization.
---PB---
Is there a big difference in the perspectives of IT people and management?
Oh god yeah. [Laughs] One of the questions we often ask CIOs is, "How many people in the IT department could give a presentation on what the company is about, how it makes its money, who its customers are, who its competitors are, what are the greatest challenges, where it's going" - and the answer is never more than 5 percent.
How can you design systems for a company you don't understand? So a large part of what our [consultancy] business does is take what the IT people try to do, and then convert it into business terms: "What we're really doing is changing the way we can interact with our vendor," or "changing the way our customers can get to their information".
And that is something business management can understand, can prioritize - and then you start seeing some action. But if you just come in and say "I want to put in a single identity management system, and it's going to cost $4 million," they won't see the value.
To some extent, if they [IT people] are technology-based, they can often get caught in old thinking, for instance when a technology question, like single identity management, comes up they say, "Yeah, that's a good thing", instead of developing a business outcome so they can explain it to business executives. Because that's what IT is there for; it's there for the business.
