Management's role in Security (PART II)
Insecurity is not a technical failing

Turning to ‘policy’, the Hong Kong Government neatly defines this area as documentation and guidance “which states the requirements and good practices regarding the security protections and operational control.” What managers and risk owners must understand is that policies do not exist in a vacuum, nor are they simply pieces of paper used to satisfy audit requirements. They are organic materials, which must grow and develop in step with an organisation. They are in themselves components of security architectures and the policy must be expressed in an organisational context.

The concept of ‘process’ describes the means by which the organisation’s strategic policies are mapped to the business operations and activities. Part of this mapping is the application of technologies and the refinement of working methods, so as to facilitate safe and trustworthy functions. However, this is precisely where many firms focus all of their security efforts, essentially employing technologies to meet their security requirements. This has to be viewed with the right perspective; Firewalls, Intrusion Detection Systems, Public Key Infrastructures, Anti-Virus countermeasures are all enablers that facilitate risk management. Whilst valuable pieces of the overall enterprise security jigsaw, they cannot by themselves provide an absolute level of assurance and integrity. From 2003 to 2004 Symantec documented the discovery of over two and a half thousand software vulnerabilities, an average of seven clear and present risks to infrastructures emerging each and every day. It takes time to research and understand these threats, developing effective means of countering the concern. No tool, regardless of how frequently it is updated or the logic base upon which it operates, can protect all elements of an environment given this ever-changing landscape.

Tools and technologies should not be disregarded, however, for they do serve an important function in providing enterprise security. However, management must be able to appreciate their core purpose (that a firewall screens out potentially harmful traffic based on defined rules, for instance), so that a good blend of controls and countermeasures can be agreed and enforced across the information space. Placed into the wider context, such technologies must serve a purpose within an overall objective of an encompassing and pervasive security strategy, driven forwards by management.

TURN TO PAGE 3