TORONTO — A good security framework requires financial investment, and a good IT manager needs to be able to talk the language of business with those who hold the purse strings.
“To be an effective security professional, you have to get those dollars,” said Doug MacPherson, security specialist for Tivoli’s SecureWay products at the Security.Net 2001 Friday.
Security in the enterprise is constantly changing not only because of new threats, he said, but also because businesses are trying leverage new technologies that have an impact on security policy. MacPherson has been with IBM for 15 years — Tivoli is one of Big Blue’s flagship brands — and working in security for the past eight years.
IT security used to be simply a matter of having insurance and keeping the bad guys out, said MacPherson, but now point solutions — a firewall here, a virus scanner there — are no longer effective alone. Those different solutions require management, and need to be part of an overall security framework, and that in itself requires money. “It isn’t what it used to be,” he said. “There’s so many ways the Net is changing your business.”
Security needs to be an enabler of e-business, not something that slows it down. IT concerns can be run over by marketing initiatives if the security framework is not flexible enough to allow scenarios such as electronic interaction with customers or business partners.
According to MacPherson, there are six A’s in that comprise good IT security — authentication, authorization, asset management, assurance, availability and administration. The last two are particularly important, he said. “It becomes a big part of it if you’re going to (IT security) right.”
To maintain security and not get in the way of the organization’s business initiatives, said MacPherson, “You have to become a partner in the development process.”
Some equate security with privacy, noted MacPherson, but added they aren’t the same thing. “Security isn’t privacy, but the privacy job is there too. The responsibility doesn’t go away.”
Issues of privacy are just now gaining steam through government legislation (such as Canada’s Personal Information , Protection and Electronic Documents Act ) and can be used as leverage when an IT manager approaches management to finance to new security initiatives. The legal fallout from breaches in privacy can result in monetary punishment for a company, and that’s something business leaders understand, said MacPherson.
Security and privacy must come first, he said, but trust is also an important aspect of a secure IT infrastructure. “Trust is the one the marketing guys want to sell.”
Security professionals should arm themselves with hard facts, not scare tactics, when approaching management for new IT security dollars.
“They understand numbers,” said MacPherson. “They don’t want to know the details. The tools are separate from the policies. They understand the policies.”
However, some business managers can view security as barrier to progress, and security is also a learned behaviour. “We don’t teach about security,” said MacPherson. “We scare people.”
At the end of the day, he said security professionals need to expect the unexpected. “There’s no perfect mousetrap.”