Canadian enteprises need to move IT security from a watercooler topic to a solid investment area, experts told a conference Tuesday.
Panelists at the Strategy Institute’s second annual Managing IT Security Risk conference said security strategies have to look beyond the traditional data focus
to things like who has access to storage facilities.
At one time, physical security didn’t register on the IT manager’s radar, said Sun Life Assurance Canada director of IT security governance David Stolovitch, but those days are over. A comprehensive IT security policy has to start at the H.R. level, he said, by screening out potential employees who could pose a security threat, and making sure that sensitive material is secure.
“”Nobody was really concerned, and then you have people walking off with your hard drives,”” he said.
The security of storage devices made national headlines last week after a company in Regina lost a hard drive containing thousands of customer records from a major insurance company and a phone company, among others. The Regina Police Service Tuesday said the hard drive had been recovered, however, and no client information appeared to be compromised.
Getting an enterprise’s board of directors to accept a security solution can be difficult, even now when most executives are cognizant of security threats and how they can negatively affect their company, said Canadian Payment Association director of informative systems and technology Marc Parent.
“”We need to continue to educate them and to make sure that whenever we push something forward that it’s sound and it’s realistic,”” he said. “”The solution being offered by the IT department may be good, it may be the newest technology out there but if it’s too complex a solution for the perceived threat, the boards are going to shut it down rather quickly.””
IT managers should present solutions as part of an ongoing strategy, said transport company Clarke Inc. vice-president and CIO John Wilson. It’s important to make board members understand that security threats are perpetual and constantly evolving.
“”You have to be careful that they don’t think you’re coming with a one time thing,”” he said. “”Otherwise next time you come to speak to them you’re going to have a problem.””
An IT security strategy is essentially an insurance policy, Parent said, and should be looked at as that kind of investment. It will not always be easy to sell the board on a solution when return on investment is a deciding factor, he warns. However, a dismal ROI picture should set some alarms off in the IT department. Maybe the solution they’re looking at is not the right one for the problem.
Sometimes it’s better to start small, dealing with specific types of threats rather than the whole frightening specter of possible attacks, Parent said.
Vulnerability fears can be used as a selling tool and can often prove quite an effective motivator, Wilson said. But essentially frightening the board of directors into parting with money won’t work in the long term. Claims of potential revenue loss in case of an attack, substantiated by an external auditor or professional services firm, are a much better basis for securing ongoing funds.
It makes sense, Wilson said, to view IT security as a part of the whole IT budget, bringing it under the folds of an ongoing enterprise development strategy, Wilson said.
For an international company like Sun Life, not having a robust security strategy is not an option, Stolovitch said. Sun Life had made a decision a number of years ago to move away from paper as much as possible, he said. Now, without their computers the company would have no business to speak of. Not only do the company’s employees rely on the information residing on the network, but all of their partners as well.
“”We have outsourcers, service providers and other third parties who have in varying degrees access to our network,”” Stolovitch said. “”Then we have the people who are actually trying to sell our insurance policies. And in number of cases they’re not actually our employees.””
In a situation where security is acknowledged as a priority, it then becomes necessary to come up with a comprehensive governance policy, he said.
The Managing IT Security Risk conference continues on Wednesday.