Security panel split over human, tech fixes

Qantas, Woolworths and a security analyst offer differing views.

A panel of security experts has offered differing perspectives on how best to address IT security risks within an organisation.

Representatives of Qantas and Woolworths believed that a risk-aware culture among management and staff would drive a strong internal IT security strategy.

"People are our greatest asset and they are also our greatest risk," said Qantas' security and building technologies manager Graham Joffe (pictured, right).

Joffe told attendees of CeBIT Australia's IT security conference in Sydney to lead by example and consider whether their behaviour enforced security concerns, standards compliance or mandatory behaviour.

When designing risk assessments, Joffe said IT staff needed to understand business objectives and should focus on the value of security - and not on "doomsday talk" - to secure funding.

Woolworths risk manager Peter Cooper said the retail giant used publicised outages like those at Virgin Blue and the National Australia Bank to illustrate risks.

"You pick something out of the press that people relate to," he suggested. "We try and stay topical, we try and get out and about an awful lot."

Cooper placed great importance in communication and training initiatives for Woolworth's 180,000 staff.

But Richard Stiennon, founder of US research firm IT-Harvest, preferred to rely on technology instead of people.

"Security awareness doesn't stay ... training is not going to last and you'd have to do it continuously," he said, calling for the implementation of "stronger systems" instead.

Stiennon highlighted social engineering as one security risk that may be more effectively mitigated by alternative processes and technologies than by staff training.

At US security conference DEFCON in August, a representative of Australian consultancy Securus Global was able to elicit enough information from a call centre operator to "wreak havoc" on a Fortune 500 company's systems.

Stiennon suggested that an organisation in which passwords were easily obtainable from a receptionist may be better served with alternate, non-password authentication systems.

"You can't train everyone not to succumb for social engineering," he said. "Find a technological solution that avoids the social engineering."