Australia isn’t often heralded as being at the bleeding edge of technology on the global stage. A former CIO of the United States National Security Agency, however, says the country is leading the way in security.
The focal point for praise from Prescott Winter, now CTO of the public sector division at security vendor, Arcsight, is a voluntary code of practice established by ISP sector representative body, the Internet Industry Association (IIA). The ‘iCode’ recommends a set of best practice methodologies for dealing with botnets, educating customers and addressing deficiencies in network monitoring.
“Australia is going to be very interesting to watch,” he says.
The code isn’t set to go live until December 2010, but IIA’s CEO, Peter Coroneos, has already briefed the US Federal Communications Commission, the Organisation for Economic Cooperation and Development, and even the White House’s cyber security chief, Howard Schmidt, among others on the proposal — in the hope of seeing similar codes adopted globally.
But while some organisations are working towards global collaboration on information security issues, Winter does have a warning for CIOs: Understand your threat landscape, and proactively work to mitigate internal risks.
“They’re just now getting their hands wrapped around this problem,” he says. “But I’m afraid many are still reactive.”
The issue is borne out in the results of the CIO 2011 Global State of Information Security Survey. Conducted in 2010 by PricewaterhouseCoopers, the survey is made up of responses from 12,847 technology and business executives from 130 countries, including 754 answers from Australia.
One of the more alarming findings — there are several — is the number of Australian respondents who reported noticing one or more security-related incidents within their company over the last 12 months. In most cases, software and confidential customer or employee records were altered or compromised, with up to $500,000 in financial losses at stake. Worse, of the known sources of the threat, employees were the culprits in 27.7 per cent of cases, outstripping hackers, former employees and other external deviants.
Denial of service, vulnerable firewalls and compromised security at the hand of consumer technology in the workplace may remain a major concern for the CIO, but it appears the problem may be much closer to home.
It is a sentiment that Shoaib Yousuf agrees with. As an information security strategist and consultant, he has seen the worst of internal security risks. The Stuxnet worm that shook critical infrastructure across the world — including 30,000 computers in Iran — could be sourced to a single USB drive, plugged into the all-too-vulnerable SCADA network. The malware, according to Yousuf, has become a “wake up call” that has highlighted the gaps in endpoint security which could bring down an entire power, water or transportation grid.
“In the hacking and security world we used to use the term ‘weakest link’ all the time, but the threat landscape for critical infrastructure has changed,” he says. “Hackers are no longer targeting the weakest links.”
Winter agrees. Drawing from experience, he points to a nuclear energy producer which found two separate botnets operating within its network; another engineering firm discovered its network was the source of a distribution network for pornography. Internal reflection, he says, is ultimately vital to ensuring threats aren’t passed by without notice.
“There’s a lot of stuff out there that people don’t know, simply because they’re not looking.”
For better or worse, the mounting concerns have pushed security awareness amongst C-level executives through the roof. Despite the economic rollercoaster, 18.8 per cent of Australian respondents are forecasting increases to information security budgets by 10 per cent over the next 12 months, while a further 19.1 per cent will look to increase budgets by up to 30 per cent. A little under half of all respondents claim security budgets in excess of $US50,000 in 2010. Information security has become much more than small change.
Third party security
Principal for the advisory service division of PricewaterCoopers, Mark Lobel, points to the survey results as a sign that expectations have been ‘reset’ among respondents.
“There’s a real sense of tension in this year’s numbers,” he says. Employee distrust aside, Lobel says much of the tension can be attributed to the increasing reliance companies must place on third parties for their security, “whether they like it or not”. “Those partners need access to your IT infrastructure and your data. That’s tough when times are good and scary when times are bad.”
But according to Andrew Milroy, vice-president of ICT practice at analyst firm, Frost & Sullivan, the trend toward third parties is inevitable.
“Security is just going to be built-in,” he says. “As a discrete issue, I think it will disappear over time because the service provider will offer service levels around privacy and data.”
Migration towards the Cloud, telecommuting and remote access will all accelerate that trend, Milroy says, as companies become accustomed to the notion of their sensitive and often confidential data moving at the speed of light over networks that are not their own, beyond the controls of a corporate firewall.
Vendors and service providers are gearing up for the trend too, boosting in-house security expertise and buying intellectual property outright as a means of integrating security portfolios without having to start from scratch. Intel’s $US11.5 billion McAfee merger, Juniper Networks’ SMobile buy and Verizon Business’ Cybertrust acquisition serve as examples.
Outsourcing the totality of security, however, may require some getting used to and, as Lobel says, perhaps a ‘reset’ of priorities. Australian companies remain ambivalent: Almost half of the survey respondents said increasing reliance on managed security services was either important or the company’s top priority for the coming year, but only 35.6 per cent were looking to reduce the amount of full-time security personnel on-site.
Read more about information security in CIO Australia’s security category.
Survey results also indicate Cloud adoption continues to lag at a local level. About 36.4 per cent of Australian respondents said they used Cloud services, behind 52.4 per cent of companies in the rest of the Asian market. Some 47.7 per cent of respondents were apprehensive or lacked confidence in the information security of suppliers and partners, mainly due to a lack of control over others’ security policies. A total 50.6 per cent did not or were not considering any form of security outsourcing or management. Nonetheless, the more companies do outsource information security or the information itself, the greater the focus on service level agreements and ensuring compliance to security standards and strategies.
The latter rings true for Andy Pattinson, formerly from Carnival Australia. As interim IT director of a firm that represents six of the international cruise brands in Australia, including P&O Cruises, he had oversight of all information security, although strategies and priorities are ultimately dictated by global headquarters in the United States.
Unlike the rest of Carnival’s local operations, which are reported to through Carnival UK, security compliance and risk management go direct.
Two employees also oversee security risk and compliance and directly report back to US headquarters, bypassing Pattinson and local management.
As a result, most of Pattinson’s security duties largely revolved around ensuring Sarbanes Oxley (SOX) and Payment Card Industry (PCI) standards compliance, effectively amounting to 5 per cent of the company’s approximate $10 million operational expenditure. Ongoing enterprise risk assessments are carried out by three of his 20-strong IT team, and penetration testing is outsourced, but for a strong local organisation overlooking four major cruise ships there are no pressing security concerns.
“We have a baseline [that is] dictated by the group and we get to that level, then do whatever other work we need to do that might be pertinent,” he says.
The maturity of the systems has it advantages; six months into the interim role, Pattinson hardly had to lift a finger on the security side.
“It was a pleasant surprise because it means you’re not firefighting issues, you’re not having to override concerns about the day-to-day operations,” he says. “It lets me focus much more on strategic aspects and actually takes a weight off my shoulders — it doesn’t mean you lose sight of it, but you know the processes are in place to maintain it.”
The CSO role in Australia
Given the importance of security in any organisation, it would seem logical to have an executive with absolute oversight direct report to the CEO or board of directors. Yet the roles of chief security officer (CSO) and its more specific variant, the chief information security officer (CISO), are rare creatures in the Australian business landscape. Only eight respondents identified themselves as such in the survey and, while a greater proportion make mention of an existing CSO role within the company, the requisite mug shot is notably absent from executive lineups on company websites. Those who do exist are often tied directly to vendors — with a stake in the arena — and according to Milroy, the title is a luxury more than anything.
“It’s like having a chief Cloud officer — how many chief officers do you want on the board? You have to draw a line somewhere,” he says.
“Security really should be on the minds of a CIO or even a CEO across the board. Everybody should be onto it.”
Only 37.9 per cent of Australian survey respondents, however, said their equivalent security manager reported directly to the chief financial officer, chief executive or board of directors; the rest, it seems, are held back by restrictive governance structures.
“I think there’s a need for any security manager to directly report to management,” Yousuf says. “You can give him whatever title you like, but I’d worry more about his reporting functionality. These guys are responsible for approving your budget and strategy. If they don’t know what you’re talking about, the threats and issues, and if you don’t bring them to their attention, you will have a problem achieving your goals.”
The CSO’s role should extend beyond information security to physical fraud and internal corruption reviews within the company, he says. Its existence also provides a direct line of reporting and communication to executives and, therefore, a greater chance to be heard. It has ultimately been beneficial to Yousuf’s attempts to raise security awareness among the engineers and accountants within the organisations he works with. “I used to struggle. I would send invites to the executives [for meetings], and they would send one person. Now, if I don’t send an invite they’ll actually ask me: ‘You’re not coming to the executive meeting? Are you not providing an update?’”
As a simple means of reporting, the CIO can fulfil much the same role, but the possibility of oversight afforded by a dedicated security executive allows for extension beyond the bits and bytes of information security threats.
Even those steeped in the technical aspects recognise a holistic security strategy must extend beyond the IT department to risk and compliance. For Yousuf, the ideal security environment would comprise four security professionals from IT, auditing, and risk and compliance departments to oversee various aspects of the company’s potential threats and developing mitigation strategies.
Security must be executed by IT, but both Yousuf and Pattinson concede that strategy and governance ultimately shouldn’t be led by it.
Cloud, green IT and governance
Governance and security priorities will likely continue to come at odds when it comes to implementing and sustaining information security, but it is clear the threat landscape remains vast and the number of potential vulnerabilities are no small feat to overcome. As issues on the periphery such as the Cloud, Green IT and governance undergo change, however, effective risk mitigation will follow suit.
For Yousuf, it is a matter of multi-tasking.
“I need to pick up on the small issues in the bigger picture, rather than going to the bigger picture and forgetting the small issues,” he says. “I believe breaches always come from the small issues, not the perimeter.”
In a climate where only 29 per cent of Australian companies appear completely satisfied with existing information security strategies, the area is ripe for improvement.
Read more about information security in CIO Australia’s security category.
Next: Survey methodology