TORONTO — The one thing corporate security managers don’t want to become is roadkill, according to the Bank of Montreal‘s specialist Vivek Khindria.
“”Who has tried to jump on the highway and stop a bus?”” said Khindria, BMO’s
department manager for security practices and technology. “”It might be a train, it might be a kid on a skateboard.””
Even if you can stop a network security problem the size of a bus, eventually you’re going to get run over. Khindria spoke Thursday at the Infosecurity Canada conference and gave a presentation called “”Integrating information security practices into your corporate governance and frameworks.””
One way to avoid getting hit by a bus-sized problem is to recognize that security is not your problem alone. Khindria urged attendees at his seminar to conceive of security as an ecosystem — one that is linked into every department as well as outside the organization through partners, customers and suppliers. “”There is no inside and outside,”” he said. “”We’re all connections across many organizations.””
BMO faced its own bus-sized problem recently. Last September, two servers containing BMO customer data were bought on eBay by a reseller. The servers were being held by Rider Computer Services, the company that manages BMO’s hardware disposal, but were mistakenly shipped to the eBay customer by Rider subsidiary Ecosys Canada.
Khindria said that BMO was notified of the mistake by the buyer and was on the premises in a matter of hours to rectify the problem. He said that BMO’s reputation suffered no long-term damage from the incident, adding that after such an incident, the question to ask is, “”Did you take all the reasonable steps to prevent it?””
Security can be a daunting undertaking, added Khindria. A quick straw poll he took of the audience suggested that a number of people were thrust into the role without adequate training — in one case because no one else wanted to do it.
Khindria suggested breaking down security tasks and assigning them. A security policy the size of a dictionary is a reference tool that no one uses, he said. Having individuals specialize in particular aspects of security ensures that there is accountability and tasks are accomplished. Tapping into an established framework like ITIL can also be a resource, he added, since that can be a guide to best practices in security.
Managing security costs is a constant battle of checks and balances, according to Ali Qutob, information security manager at TSYS, a Columbus, Ga.-based company that specializes in credit card processing. TSYS also operates a Toronto office and counts Royal Bank and CIBC among its customers.
The credit industry is naturally security-conscious, he said, and TSYS’s customers operate in international markets, each with their own security concerns and regulations. In Canada, TSYS and its customers must fall in line with national privacy legislation PIPEDA.
Credit card processing is a competitive business, said Qutob, who attended Khindria’s presentation, and in order for TSYS to remain competitive it must effectively manage its costs, which means effectively controlling security budgets.
He stressed that open source isn’t necessarily a cheap alternative when it comes to managing security. But security managers should prepare for open source in their organizations since its arrival is envitable. Qutob’s company recently purchased a Red Hat Linux distribution. “”Open source sneaks in without you realizing it,”” he said.
Khindria noted that budgeting for security can be difficult, particularly when those that hold the purse strings aren’t always cognizant of what the problems are or could be. A CEO may be baffled by the news that Port 80 is open, for example. Port 80 is the standard port for Web sites.
“”The CEO doesn’t care about ports,”” said Khindria. “”The CEO is going to care about loss expectancy.”” By quantifying security problems in terms of potential lost revenue — or even providing a qualitative description of how security threats can lead to loss of reputation — CEOs will have a better idea of how security budgets are being spent and what they’re designed to address.