CALGARY—If senior IT execs came to CIO Summit West in search of some solace over their security woes, they probably left disappointed. In fact, they probably went away with a greater sense of paranoia, thanks to a University of Calgary professor.
the words of more than one CIO, Dr. Thomas Keenan managed to “”entertain and scare hell out of us”” in one short hour. Keenan, dean of the faculty of continuing education at the university, has been tracking the evolution of technology security for two decades. The bad news? Security problems are only becoming more complex and creating big questions about public policy issues.
“”You will be at conferences like this and taking courses like mine for the rest of your life. Get used to it,”” said Keenan, speaking to about 100 CIOs attending the session Keeping Up With the Dark Side of Technology. He said that while viruses and other electronic threats are becoming more prevalent, they are also causing more lost productivity than the viruses or worms themselves.
Of significant threat to companies right now is wireless networks left unprotected. A wardriving exercise Keenan conducted in Calgary recently revealed 12 networks with only three running Wired Equivalent Privacy, or WEP.
“”I also did this on a recent flight and my computer talked to all the other computers on the flight, including a guy from the Canadian Department of National Defence. That’s someone who shouldn’t be working that way,”” he said.
Keenan told the audience that in Silicon Valley companies are routinely patrolling parking lots looking for people with laptops. “”And they are finding them,”” he said.
His advice was to create a culture of awareness in an organization and get someone from the outside to take a look at what is currently in place for security in a company.
“”So many regard security as a headache. The reality is somebody taking an outside look can do some good,”” he said.
When asked what can be done to control spam, Keenan’s advice was simple: “”use filtering programs, don’t reply and be quick with the delete key and don’t give out your e-mail address.””
In an age when a person’s e-mail is used probably more than their telephone number, this may seem extreme, but it is slowly becoming a strict policy in some large organizations such as Epcor Utilities Inc.
“”At Epcor we suggest everyone have three e-mail (addresses),”” said Kevin Brown, CIO with Epcor. “”I never give out my Epcor address unless I have a relationship with the person. I also have a CIPS address and a home address.””
Keenan agreed this is the way to go, “”more and more we need to think about what we hand out to people.””
When asked where privacy and security ranks on their to-do lists, many CIOs echoed the idea that security has become a top priority, but it remains an endless challenge as new threats arise and budgets remain flat. As well, it has become an issue some describe as a “”can’t win.””
“”My role is to set up as good a perimeter as possible but for ever fence I put up, there is someone with the talent and drive to break through,”” said Robb Stoddard, CIO for the government of Alberta.
And in spite of the push for greater security, some CIOs find themselves in a familiar situation: we don’t care how you do it, fix it.
“”Security, in particular strikes me as similar to the Y2K issue. You can’t win as the CIO – you can’t spend enough and if something went wrong you’re on the hook. I try not to spend a lot of my time on it except to put it at the top of my agenda,”” said Duncan Kent, vice-president and CIO for Enbridge Inc.
The task is even greater for Nick Curry, vice-president of business transformation and information technology with MTS Communications, because as a telco “”we will be the ones named as the service provider if something goes wrong.””
“”We are always concerned about staying on top,”” said Curry, noting it’s not necessarily external hackers he worries about most. “”The cooks in the kitchen are the ones you worry about.””