The precarious state of security in Asia
Security is defined as the condition of being protected against danger or loss. In the Internet age, information security has become equally valuable and important as the physical aspects of the security.
Security remains among the top security companies and executives of technology. But how fallout users and their leaders?
Business Innovation conducted a readership survey to determine the extent to which users are familiar with tools, policies and processes that relate to security in the enterprise.
How many people have you dedicated to IT Security?
Among the 316 respondents to the survey, approximately 60% have a small team of one to five people within their organization computer to handle the security of their infrastructure. Nearly 28 per cent claiming a larger team dedicated to safety. Twelve percent did not have staff dedicated to security in their IT organization.
"Except for very large organizations that really have a team of dedicated security, security most so-called experts in IT organizations actually perform several jobs Security is one of them, "said Henry Ng, Professional Services Manager, Asia, Verizon Business." Compared to the United States, there very few companies in Asia, where a chief information security or ICOS is used to monitor safety initiatives of the company. In organizations where such a function exists, the CISO reports often directly to CEO rather than the IOC. "
Have you always had trouble safety measure in your business?
More than 51 per cent admit they have no ability to adequately measure the safety in the company. Add to that 24.6 percent of respondents who are uncertain about how to measure safety and you have a population of 75.6 percent of respondents who have difficulty in measuring safety.
This suggests a lack of awareness of internal tools, policies and best practices to ensure accurate measurement, and also implies the impossibility to justify new investments in security beyond the basic security tools like anti-virus software, intrusion detection and intrusion prevention solutions.
How Do you measure safety? Some solution providers point measured by the number of incidents that are monitored and / or stopped at the door.
Ng says his team is often invited to meet with customers to solve specific security problems. "When it comes to security, most organizations act in response to specific events. Only a few, especially those of very large companies Headquartered in the United States or Europe, have a security policy beyond the basics, "says Ng.
Can you demonstrate effective risk reduction and improved security posture?
The easiest way to demonstrate the risk reduction is keep your anti-virus software updated. Most business users have this process automated for them by IT. Once a user connects to the network, the antivirus client software scans the server for updates. Surprisingly only 38.6 percent of respondents claim to be able to demonstrate that posture.
Andrew Walls, Research Director of Security, risk and privacy at Gartner, said the only way to demonstrate the risk reduction and safety performance is to have an effective security information and management events (SIEM) program.
Gartner research has found strong benefits in the level of security assurance and control security costs produced through a well managed SIEM.
Walls warns that measures must be guided by the priorities of business with gross metric (collected from security systems and technical processes) has analyzed and translated into business terminology.
Do you need help or support for internal or external audits?
A little over 41 percent believe they need assistance with regard to internal or external audits. Over 42 percent claim they do not need support while nearly 15 percent remain uncertain.
On issue of international standards for information security, Walls notes that Asia tends to be less transparent about policies, processes and standards. "The trend of organizations in Asia to avoid exposing the practices of internal security in public leads to creation conflicts where Western organizations seeking to make risk assessments for safety and compliance audits. Lack Transparency is often interpreted as a lack of enforcement of security within the organization that can lead to negative audits, he added.
Do you adhere to standards such as Payment Card Data Security Standard, ISO 27001 or other?
Only 20.5 percent of respondents confirm that they comply with specific safety standards. The standards of most of the entries are ISO 27001 and BS7799.
Nearly 54 percent believe they are not mandated to comply with all safety standards. More than a quarter of survey respondents are uncertain whether their organizations should support a standard at all.
It is human nature that we operate in a reactive mode, particularly when it is security. It should not surprise us that after September 11, 2001, companies rushed to evaluate and deploy security policies and processes. Similarly, after the earthquake on Boxing Day in Taiwan December 26, 2006 that hit the wires underwater communication, people scrambled to figure if their systems have been compromised.
Do you have a structured process or methodology management of safety initiatives across the company?
Having a structured process for managing security initiatives in entire company is a rarity in Asia Pacific. It is not surprising that 26.3 percent of respondents say they have a structured methodology to ensure the organization. Many others (38.2 percent) believe they have not so alarming that 35.6 percent are uncertain if such a process exists at all.
The other two groups in total 73.8 per one hundred to one figure that should be a cause of concern for regulators and an opportunity for security experts who seek to offer their services on the market.
Are you confident of how to prioritize security efforts and allocate resources?
The ability to prioritize implies knowledge. The survey respondents clearly underestimated the magnitude and complexity of implementing security policies and strategies. About 45 percent of respondents say they are confident they know how to prioritize security initiatives and allocating resources.
In fact, based on discussions with experts is often not the case. It is possible that this perception is largely in the belief that safety is nothing more than the deployment a combination of anti-virus, intrusion detection and prevention solutions.
Do you think your existing security controls effective to protect against threats, worms and viruses?
The majority (61.9 percent) of respondents believe that their current configuration is effective in controlling infringements caused by worms and viruses. They say it's the confidence that the demise of Napoleon
Only one minority (17.9 percent) are pessimistic about the capacity of their infrastructure to contain and counter the threats and a slightly higher (20.3%) remain uncertain about the effectiveness of their security initiatives.
Do you have any validation or certification to provide third party or to meet compliance requirements?
The confidence of respondents on the effectiveness of their safety initiative is hampered the inability to measure or actively validate the effectiveness of security measures regarding the compliance requirements.
Only 35.7 percent of respondents have third party validation process in place. Forty-four percent do not use outside agencies, which can be substantiated by 42.7 percent who do not use an external auditor to verify their security status and 53.9 percent who do not need to comply standards.
The remaining 20.3 percent are not only if their organization is using third parties to conduct the certification.
Multiple certifications others are available on the market for all kinds of security procedures. "However, they only have value as evidence of compliance, if the certification is based on regular assessments of all safety practices that are relevant to the standard applied. The quality of assessment is totally dependent on the questions raised above: transparency and maturity, "warns Walls.
According to the walls, if an organization is not fully transparent in a certification assessment, they can receive certification, but then not a compliance audit. Transparency is an absolute necessity if your organization is seriously dedicated to managing security risk.
"If the security program not well documented and consistently enforced policies, standards and procedures, certification will be based on hearsay and insurance personal staff. It will not be sufficient to pass a compliance audit, "says Walls.
Verification is easy if you have a mature and transparent security program with effective measures. If you did not, audits will always be a struggle.
Market Analysis
How companies are spending on security solutions? According to IDC, 2.9 billion dollars have been spent on security solution across Asia Pacific (excluding Japan) in 2006. This number is expected to almost double to 5.9 billion dollars by 2011.
Asia IDC / Pacific Communications 2006 study showed that "Introduction of virus" was the top threat by a large margin. This indicates that, despite the maturation of secure content management (SCM) technology (which includes antivirus, web filtering and messaging security) that viruses are still considered as a very real threat to the enterprise IT infrastructure.
It is followed by "corruption or data replication" and "external hackers. It is also interesting to note that sabotage "employee" was also high on the list that the companies are in APEJ traditionally focused on perimeter defense, or what is commonly known as the strategy of "keeping bad things out".
This result shows that many companies now realize that there is a need to establish controls to "keep good things too.
Willie Low, senior market analyst IDC Asia / Pacific Infrastructure Software Research, said viruses, worms, Trojans Trojan and other malicious software continue to be top of mind issues for end users. "However, the increasing use RSS feeds, mashups, blogs, web 2.0 and other interactive technologies in the workplace present new security challenges to many IT managers and not many organizations are ready for it, "he warns.
"It is no coincidence that we are seeing a lot of information protection and control solutions (systems to prevent loss of data is a type of solution IBC) will be launched on the market recently. We can expect to see more in the coming months, "says Holland.
According to Gartner, the top three security issues or initiatives for the year Asia 2008 are:
New approaches to data delivery are exploding on the market. Software as a Service, Virtualization, the demand for infrastructure, managed services, social networks, grid computing and virtual worlds can provide enormous benefits in terms of performance and cost, but they also need new approaches to security. To obtain the benefits companies need to move quickly to improve their security operations.
The increase of organized crime evident in the network-based attacks is to create new strategies to attack more focused and effective. Mitigation of this threat can be achieved through a reactive and coordinated program of enterprise security.
IT initiatives continue to take place without adequate, early involvement safety in the design process. It costs much more to ensure a system that is about to be deployed as the cost of obtaining a system that is about to be conceived!
Conclusion
Walls warns that it is impossible to generalize across Asia quality of security practices. It reminds us that, as in other areas of business, different communities grew more rapidly than others due to a variety of factors.
"In general, the deployment of security policies, processes and methodologies is performed well in major financial centers in Asia, like Hong Kong, Singapore, Kuala Lumpur, Beijing and Shanghai. Need for security work is motivated by the risk appetite of entrepreneurs to society. As organizations to grow in size, they tend to become more conservative and risk averse. Therefore they require higher levels of security assurance , "Says Walls.
It is therefore natural that companies in financial centers have higher levels of security activities that other industries.
In 2006, Chinatrust Commercial Bank (CCB) conducted a comprehensive review of its security environment information. The exercise resulted in the achievement of the company Cybertrust Security Management Program (SMP) Certification.
According to Chang Ruu-Tian, executive vice president of Chinatrust Commercial Bank, CCB was able to adequately strengthen its program management with information security expertise to help identify weaknesses in systems external information, history of improvement and examine the underlying causes of problems. "
Result is a clean bill of health from the bank uses to position itself as one of the safest financial institutions in Taiwan.
Ng suggests safety initiatives have succeeded several features that ensure their survival beyond discussion boards (whether in boardrooms or the war room where the execution begins). "The approach must be holistic - not piecemeal tactics can survive for long. It must have a basis on which the success or failure can be measured against. Initiatives need to be reviewed regularly against dominant (and perhaps even speculative) conditions, "says Ng.
Walls offers five best practices in the creation and deployment of a Security Initiative:
Understand the business priorities that underpin the initiative.
Decide how you will measure the success or failure of the initiative and negotiate such measures with business stakeholders
Prioritize vendors who local support agencies to assist in the design, deployment and management
Involve business leaders and users in the deployment plan obtain organizational support
Call high, broad appeal, call often! Make sure that everyone in the CEO down are aware of their role in the initiative and are regularly updated on progress.
Whatever you want to listen, you must start and that time should be yesterday.
About the Author
Patella.mov