- Learn how to build a team to handle information security
- Find out how to hire skilled security professionals
- See how to use your IT organisation as a security staffing resource
Last year, David Saul, executive vice president and CIO of commercial insurer Zurich North America, pulled a dozen IT staffers away from their daily tasks to combat a virus that was attacking the company's firewalls. They did a good job limiting the damage, but it took two days - two days in which other work did not get done. Next time, Saul hopes to be ready to respond before a threat surfaces. "We want to be in a safety zone that doesn't require that kind of immediate mobilisation," he says.
That's why Saul increased his full-time information-security staff from 12 to 18 people, mostly by training, reorganising and reassigning IT people to security. "Good security equals prevention, detection and reaction," says Saul. "If you're not going to staff to make the process work, then your exposure to security breaches is higher."
That exposure is an increasingly widespread problem. In a 2001 survey of security practitioners conducted by the Computer Security Institute and the FBI, 85 per cent of respondents (primarily from large corporations and government agencies) had detected computer security breaches in the previous year, and 64 per cent of those respondents acknowledged suffering financial losses.
In fact, there's no limit to the damage evildoers can inflict. In this environment, many people believe that it's sheer madness to have an IT staff handling information security on an ad hoc basis. "It's a hard-and-fast rule, in my opinion," says John Hartmann, vice president of security and corporate services of Cardinal Health, a $US47 billion health-services provider. "If the two roles are shared, business priorities will drive security to a lower priority."
Tim Mitchell, CIO of Sarnoff, an electronic, biomedical and information technologies company, disputes that, saying that his IT staff handles security very well, thank you. But he does agree that people charged with security responsibility must be organised into a team - as his are - carrying out a coherent security program that sets out specific responsibilities and requires regular meetings.
A security team needs to set policies and procedures, assess vulnerability, detect intrusion, respond to incidents and manage security architecture. And perhaps most important of all, it needs a leader.
Finding skilled security professionals to carry out this mission can be tough, and the alternative - training in-house IT staffers who are security novices - can be costly and time-consuming. Outsourcing security is another option. But whichever route you choose, here are some ways to enhance your chances of success.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.