Recent high-profile security breaches are making it harder to separate the key issues from the hype. Barry Mansfield asks top experts for their advice.
The threat landscape is ever changing, and security professionals have to adapt constantly. But what are the key challenges for the industry and how can we best address them?
Ten leading experts, all of them working on the frontline, share their views on what to look out for and how the nature of the profession is likely to evolve in line with growing business demands and mobile workforces. And where does that leave young people thinking about a career in information security?
We also asked for their opinions on the consolidation in the vendor community in the past couple of years. Has it made life easier or harder for the CIO?
Finally, amid the growing number of reported security breaches and vulnerabilities, we wanted to know if our experts thought that some so-called threats were more hype than real danger.
- John Meakin is group head of information security at Standard Chartered Bank, which he joined in 2002. He previously served as CSO at Reuters, before moving on to similar roles at the Royal Bank of Scotland, Swiss Bank and Dresdner Bank.
Unfortunately, for the past 15 or 20 years, my profession has struggled to get the fundamentals of security right. Basic access control is something a lot of corporates still don't do well. It's not sexy, it's a hugely complex problem and the available technologies have actually made things more confusing.
The variety of malware is multiplying. We've seen a growing trend of electronic attacks on business from organised criminal groups that have very well-defined motives and the capability to develop customised attacks.
This means the process of looking for potential malware, characterising a pattern and distributing that pattern has become less feasible. The window of risk between a new variant coming out and the new pattern being promulgated has widened considerably.
The rules of the game are changing. But that doesn't mean we should ditch the old response of malware scanning and replace it with a white-list approach, or indeed any other heuristic approach. People were saying pattern-based malware was dead five years ago, and that it would be replaced by heuristics. It never happened. What did happen is that heuristics was added to the armoury.
When I adopt new technologies from different vendors I want them to work together as a coherent whole.
Maybe it's not very realistic commercially for rival vendors to maintain a dialogue to this end, but it would make life a lot easier for CSOs like me."
- Jeff Roberts worked at BT and as a management consultant at Ernst & Young before joining tour operator Cosmos as group director of IT. He is now director of IT at Norton Rose, where he has global responsibility.
As a law firm, we're worried about having the right information barriers in place. A lot of that relies on the professionalism of the lawyers in our organisation. That's the biggest barrier - knowing they are trustworthy.
But we have all sorts of checks and balances in place. We don't want to stop people from using USB memory sticks altogether, but we do encrypt them and audit what's going on. We're now also using data collection tools, capturing around 5GB of data every day.
There has been a lot of consolidation in the information security sector. When a vendor is acquired, the relationship management seems to be affected. You don't often get to meet the senior people you were in touch with previously. Despite that, industry consolidation doesn't keep me awake at night. It's just business as usual.
Infosecurity is a tough profession to go into. You really need good, up-to-date knowledge of the technology, so that you can implement new policies and verify what the server team has done. Unless you're part of a large team, you will need a broad knowledge of security. This means networking, as well as servers.
Despite this, you're not necessarily going to be hands-on when it comes to the actual job, because you will be doing audits and thinking about the consequences of those."
- Before joining law firm Eversheds as director of IT in 2005, Malcolm Simms worked for Buena Vista TV as vice-president for information services.
I'd summarise our main challenge as broadening the security perimeter from something that merely encompasses the enterprise to something that is everywhere at once. We have ten offices in the UK, and that seemed a headache a couple of years ago. However, that's changed.
In our firm, we've seen an explosion in the use of mobile technology. There's more outsourcing, and the legal sector as a whole is intrigued by the possibilities of that. The use of partnerships and alliances has led to integration and communication with so many different organisations that our network and supply chain is now immense.
An increasing trend in law is electronic submission, for example of case files to court. Before it was all paper-based.
This year we've set up offices in Qatar and Shanghai. We're going into territories that we are not too familiar with as an organisation, and that brings new risks as well.
For us, security is about protecting our clients and our reputation as a firm. It's important to understand business process and risk. As an IT professional working in law, you have to understand your clients and internal customers' priorities so you know where to best spend your IT dollars."
- As director of information security and privacy, EMEA, Dr Robert Coles has joint responsibility globally for security at Merrill Lynch. Previously, he managed governance, investigations, threat management and information security consultancy at Royal Bank of Scotland.
It's important to control your data. Improvements in digital rights management will allow a much stronger grip on of who has access to data and will give us the capability to restrict use to individuals or groups, prevent onward transmission to other people and expire access when no longer needed.
It's also important to know your people. Developments in identity and access management systems will allow us to really understand who has - and needs - access to data and allow us to grant access based on roles and responsibilities. They will help us reduce costs through efficiency improvements.
My advice to infosecurity professionals over the next year or so is to support the newly formed Institute of Information Security Professionals (IISP).
Historically, infosecurity was so small that everybody knew everybody else. That certainly made hiring people easy. Unfortunately, those days are gone. The IISP has been set up to provide a mechanism for trusting the skill and competence of the infosecurity professional and guiding the development of the profession."
- Richard Cross studied theology before switching to a career in IT nearly a decade ago. He is now corporate security officer at Toyota Motor Europe and previously worked for a government intelligence agency.
I have reservations about the whole endpoint security strategy. There are considerable risks with people wanting to get hold of our information, whether it is leaked deliberately or gets out accidentally, so you need to control the medium itself.
Endpoint security is like holding water in your hands. You can do it but, inevitably, the water is going to leak through. It doesn't allow for control or guaranteed results. It's doomed to failure. In any case, just stopping people from using USB sticks doesn't represent the best value for money to our business.
We have to become a lot more aware of employee behaviour. Network protocol analysis and behaviour inspection engines will be useful here. We have to go beyond the straightforward binary rule - 'Yes you can do it, no you can't. You're blocked.' Business isn't that simple. It doesn't go down straight lines.
It's important to be aware of the psychological impact of security. We're dealing with real people and their motivations.
My advice for people thinking of going into information security would be that you've got to believe in it to do it. You have to be willing to deal with unpopularity, and you have to be a little persistent. A lot of people think they already know everything you are going to say as a security officer. Catch people's attention. Challenge their preconceptions and go further."
- George Hazell is CISO for Alliance & Leicester, having joined the financial services group in 1999. He previously worked as a security manager for the Littlewoods Group.
The language we use in our risk assessment process has changed significantly in the past five years. We used to be less conscious of the fact that we were selling and presenting risk to business people who may not fully understand the implications of what they were being told. So we now put that in much more direct business language.
It should have been second nature. Availability, for example, is a really simple concept for a security professional to get across to a business professional: 'This is the risk that the system you are paying a lot of money for will not be available when you need it.' Our senior managers understand that very well. We've struggled in the past to get the meaning of the risk across. Five years ago, my team was putting words like 'must' and 'should' in risk assessments. But we resist that now. We're not the risk takers. It's the business that takes the risk. Our job is to use our professional skills to identify them and then use different professional skills to present those in terms the business can understand.
It's then for the business risk takers to decide whether to take those risks. I've got my team really focused on that now. When writing a risk assessment paper, it's all about semantics. And it's not an easy job to get it right."
- Sean Dewhurst is CISO and director of IS operations for Centrica. He has worked for NatWest and separately for both Logica and CMG before they merged in 2002.
The threat landscape changes with maturity, more because we can do something about it rather than because we ought to. A well-focused organisation needs to keep an eye on what is important to the business, not on what is possible according to the so-called experts.
Remediating every risk costs more money than you will ever have, so focus on those most important to you, and note with interest those that are important to everyone else.
What is the impact of consolidation? Nothing more than an indication of the rapid maturing of the information security market. Sometimes there is a short delay in the evolution of a product, but what comes out the other end is more often as good as what went in, and often better.
The information security professional of the future will be articulate in risk management and controls, not just firewalls and technology trends. Talk the universal business language of risk and demonstrate breadth through action in your dealings with people, process and technology in that order and you won't go far wrong."
- Nicholas Bleech joined Rolls-Royce as IT security director in 2005. His 20-year career in security has included stints with KPMG's information risk management practice, EDS Defence, and the UK security service. He was lead author of the Jericho Forum's Visioning White Paper.
In aerospace, the products we make, sell and support can be in service for 30 years or more, and that transcends the typical life of an IT system. So we have a lot of legacy issues we have to take into account when we look at security technology.
Defence in depth and endpoint security have been key drivers for us. Increasingly we have to share sensitive commercial and customer data across our enterprise and into the enterprises working with our suppliers.
It's important for security professionals to collaborate, because protecting our businesses against security risks is essentially a non-competitive issue. Neutral forums such as TIF, the Corporate IT Forum (www.tif.co.uk) have been around for a while and they're doing a good job.
But it's one of the truisms of security that you get noticed when things go wrong - when you're getting things right, everybody forgets about you. That doesn't mean to say we should be shouting from the rooftops about how wonderful we are. Security is a continuous process. It's not an arena where you can just declare victory and move on to the next challenge.
It's important for security professionals to have a good relationship with their suppliers. Be clear about your expectations. You can benefit greatly from transparency."
- Following nearly 20 years in various security roles at the Ministry of Defence, as well as a spell as CIO at UBS Investment Bank, Paul Wood was appointed group business protection director of Aviva in 2006.
Identify theft is a key issue for infosecurity professionals, whether this involves phishing, social engineering or the theft of credit card data and personal credentials.
As we see more use of online trading and further development of e-commerce initiatives, we need to ensure not only that the systems are safe from hackers, but that the basic customer authentication processes are also secure. And customers and business partners have to understand the need to protect their own data and private information.
While I am concerned about the so-called zero-day attacks, I think more is being done to make sure vulnerabilities are fixed quickly. The hype around this particular threat is often overplayed.
There is room for more consolidation, as too many vendors are fighting for the same space and customers. I can see further consolidation taking place in the desktop market. But whether it will bring better-quality products is another question. Bigger doesn't always mean better.
Infosecurity professionals should continue to focus on making security add value to their organisation and provide cost-effective, pragmatic solutions that meet business needs.
I think there has never been a better time to become an infosecurity professional. There is a shortage of quality staff and yet, there is an increasing need for them. Obviously, newcomers to the profession need to be technically competent. But there should be an emphasis on the soft qualities needed in business as well - sound communication skills, powers of persuasion and analytical abilities."
- Previously head of information security policy for the DTI, Geoff Smith handles regulation of the communications sector, information security policy and communications resilience for the Department of Business, Enterprise and Regulatory Reform. He is the UK's board member on the European Network and Information Security Agency.
My role is to help create the right policy environment to improve the confidence of business and other users. Hot topics at the moment are the resilience of the internet, the security obligations of communications service providers and the protection of critical infrastructure. More and more, discussions are taking place at the European or global level.
It now seems clear that we are heading towards much greater mobility with ubiquitous and sensor-based networks. The way people are using technology is changing, and the emergence of social networking and virtual worlds may be the dawn of a new age. That will affect the role of the security professional. Their contribution has to move closer to the design and implementation phase; it cannot be an afterthought as is so often the case at present.
Both the profession and the vendor community will have to reflect this change. Vendors must move away from producing a bewildering variety of endpoint solutions to providing a managed service and specialist advice. This will inevitably lead to a big shake-up in the industry.
However, the profession is becoming more organised: the user-led Jericho Forum shows real thought leadership by the UK."