Panel discusses top infosec issues

Powered by SC Magazine
 

Making security policies effective, patch management, and risk analysis were among the many issues discussed and debated Tuesday by a panel of infosec experts at Infosecurity Europe in London.

Getting employees to follow security policy requires having consequences that hurt them personally if they don't comply, said Jason Creasey, senior product manager at the nonprofit research organization Information Security Forum.

"If they don't follow policy, take their bonus away. Make them look stupid in front of their friends," he said.

A lot of people ignore policies because they don't see how they're relevant to them, said Andy Thompson, head of security services at systems integrator Cap Gemini Ernst & Young.

"They have to be relevant," he said. "If you can give them a free drink, meal, let them go home early - something that means something to them."

On the patching front, panelists had various views. Companies need to be selective with patches, Creasey advised. "You need to do a risk analysis on patches... It's quite dangerous to apply all patches automatically," he said.

Richard Hackworth, head of IT security at HSBC Holdings, agreed that a risk assessment is needed before implementing a patch but said a level of automation in patch management is "fundamental."

With some 250,000 devices connected to the network, 100,000 employees and many mobile workers and contractors at BT, the patching process "has to be a slick process," said Martin Roberts, group security director at the company.

Panelists said risk analysis is a key component to an infosec program.

"If an organization can't identify risk associated with a critical business application, it must be difficult to define the appropriate level of control," Creasey said.

Thompson said anything done in security should be based on a risk analysis that correlates security to the business goals: "It's important for us as security professionals to understand how the business works."

Hackworth said, "Essentially we're managing commercial risk...Security controls will be proportional to the commercial risk."

 

Copyright © SC Magazine, US edition


 
 
 
Top Stories
The iTnews Benchmark Awards
Meet the best of the best.
 
Telstra hands over copper, HFC in new $11bn NBN deal
Value of 2011 deal remains intact.
 
Photos: iTnews Benchmark 2015 finalists revealed
Awards alumni gather to celebrate.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  4%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1751

Vote
Do you support the abolition of the Office of the Information Commissioner?