AusCERT: Corporates need mature security

While security risk management is no longer a dark science, Australian corporates still lack maturity around the model, delegates at a major security conference heard.

John Geurts, Commonwealth Bank's general manager of financial and risk management and group security, said security should be at the boardroom level and businesses should aspire to deploy a security maturity capability model.

In this model, the chief security officer (CSO) should have a holistic view of security that incorporates more than information security, but also the management of physical security and personnel issues, Geurts explained to delegates at AusCERT's third annual IT security conference.

Additionally, Geurts said he subscribed to the view that the CSO should report to the chief financial officer.

Geurts told InformationWeek businesses needed fewer knights in shining armour and more proactive business focused security chiefs.

"It is always easy to react [to a security issue]. You can then be the knight in shining armour and save the day. I'd much rather prevent it from happening in the first place" Geurts said.

"For the Commonwealth Bank, security has been on the radar at board level for some years. Now it's less of a challenge to sell the message," he said.

"In the past the business didn't know what to expect from security practice. It was regarded as an area of mystique. The new security professional today has to help them understand. Security practitioners need to grow themselves beyond technical expertise, but they also need business skills."

For security chiefs, Geurts said: "Business is still your customer not your opponent."

Geurts also called on security chiefs to show the metrics of what they do in terms the business can understand. "Fear, uncertainty and doubt may have been a useful tool in the past, but today's managers are more computer literate and more demanding of the IT industry," he said, adding it is necessary to "flush out those that hold knowledge within security."

"What I see -- not just in Australia but generally -- are isolated pockets of security where IT is sitting over here and fraud people are sitting somewhere else and there is not a great deal of interaction between them," Geurts said.

"To me, a modern business can't sustain islands of knowledge that are not integrated with the rest of the enterprise. Security risk management is not a dark science," he said.

"Security is a support function, not an overhead," said Geurts. "My decision is what do I invest in to make it a better business, not what do I spend money on."

Geurts said chiefs would be able to turn around a mindset that security is an overhead by demonstrating results. However, when reporting to the CFO, the CSO should try to manage metrics to show quantitative financial results as well as qualitative.

"Show results such as by investing in this fraud detection technology, we reduced the possible loss by x amount of dollars or x percent. By showing sustainable improvement in those activities over a number of years, security can be an investment in terms of reducing exposure to losses," he stressed.

He added: "It can be an investment in terms of taking a business opportunity that would otherwise be too risky to take".

Siobhan Chapman attended AusCERT 2004 in the Gold Coast as a guest of AusCERT.