According to the 2002 Australian Computer Crime and Security Survey, 70 per cent of Australian organisations increased their expenditure on information security in the 12 months prior to the study being conducted. The survey was produced jointly by AusCERT, Deloitte Touche Tohmatsu and the NSW Police Service, and its findings may well reflect how prominent security has become in the minds of chief executives and boards, especially since September 11, 2001. However, to be effective the right person, at the right level in the organisation, needs to be in charge of information and systems security, and this has not always been the case.
In the late 1980s and early 1990s, a manufacturing company in Australia decreed that information security should be taken out of the hands of the IT department as it was considered to be a case of the fox guarding the chicken coop. If the reasoning behind this was flawed to begin with, the consequences were pitiful. A succession of unqualified and unsuitable"redeployees" ended up being appointed to the new position of corporate security officer, primarily because the company couldn't find anything else for them to do. A power game developed between the heads of business units and IT as to who could access what, how and when; and the end result was cumbersome and ineffectual processes that impeded both IT personnel and end users in doing their jobs.
That may be an extreme example, but while whoever is in charge of IT security need not necessarily sit in the IT arena , most would agree that the incumbent does need some technical grounding, given the complexity of the technology involved. This is very much the view of Stephen Srede, information security manager for AMP Financial Services, whose background is in networking and programming.
"My background is technical, so I understand the way things fit together and I think it is very important to have someone in the team who has a really good technical understanding and knowledge of how things work from the ground up. It does seem to vary a lot, though; some people come from an audit background and some people come from a more mana-gement oriented background," Srede says.
Srede's team of four is responsible for information security across Australia and New Zealand. Principally, this is for AMP Financial Services, he says, but they also work with other companies within the AMP Group. The role is a full-time one for Srede and he believes most large organisations these days do have at least one full-time person dedicated to information security, if not a team as in his case.
According to Srede, he and his team set security policy in conjunction with the business. Other duties include analysing and evaluating what security-related technologies need to be in place, such as firewalls and intrusion detection systems, and where, acting in an oversight capacity, procedures are working correctly and investigating anomalies. He considers viruses still to be the biggest threat to AMP's security."Although the threat of hacking receives more press and is on the increase, and internal threats such as fraud are always a risk, viruses are the most disruptive to the organisation," he says."If a virus comes through and the [appropriate] infrastructure is not in place and up to date, the cost is easily measurable as being very large."
Prior to joining AMP in February 2002, Srede held a similar position at Optus for three years. Although he says he operates fairly independently within AMP, he and his team report into the architecture area of AMP's IT organisation, and he thinks this works well.
"Different people have different recommendations as to where security should fit in. Some say it should sit outside of IT and report up to the CEO through an area like risk management. That was how it was at Optus for a while, but I don't think it makes that much difference as long as you have good management support. Where that support is lacking is where the reporting lines would make more of a difference because you'd need to wield some weight around. But in AMP we have pretty good support, so we could really be anywhere," he says.
While Srede maintains a good relationship with the people who look after AMP's physical security, he says that information security is run quite separately with little overlap between the two areas. The physical security of premises and equipment is also managed separately at telecommunications company PowerTel. However, according to PowerTel's CIO, Geoff Lindner, one of the principal targets of thieves is IT assets because of their commercial value and usefulness.
"We, like every organisation you care to name, have laptops stolen and we have quite extensive rules about how people who have laptops are required to maintain them," Lindner says."They're not allowed to be left on desks or in desk side draws because they're not secure. Rather, there's a special cabinet for storing your laptop, but every now and then we still lose [the odd one]."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.