Gregory Schaffer is a director in the digital risk management and forensics investigations practice at PricewaterhouseCoopers. He spoke with Computerworld reporter Ann Harrison about information technology security issues.
Q: Why do so many businesses have weak IT security?
A: This is a horrible, complex problem that is not easily solved by simply implementing some off-the-shelf system. It's not just a matter of installing a virus-checking system; that is not enough. Even the security tools available now need to be monitored and maintained and patched on a regular basis to be effective. [But] with the "ILoveYou" virus, the tables are starting to turn because the damage levels are starting to rise to the point where they can no longer be ignored.
Q: Are many companies vulnerable because they fail to patch known holes?
A: Staying abreast of security vulnerabilities and applying appropriate counter measures is increasingly difficult as systems become more complex and as merger activities require the combination of systems that were never intended to be linked to one another. New technologies are implemented almost in real time as they become available, and it takes time for security issues to bubble up to the surface and be really addressed.
Q: Should companies seriously consider outsourcing their security management?
A: There are definitely advantages to having security professionals handle security. It is complicated, and it is the focus of their business. Just as retail outlets are focused on their business, security people can focus on the business of security. It behooves them to be up-to-date and follow the latest trends, not as a distraction but as a core focus.
Q: Some companies are moving their security divisions to the auditing department. Is this a good idea?
A: In some instances, it is a matter of clout and a way to give security people greater influence over operations. In the IT department, they are sometimes not seen as core to the function of the business; therefore they can have their budget hijacked and have resources deployed in ways that do not necessarily enhance the security.
Q: Do you see certain types of risks or vulnerabilities increasing over the next year?
A: These things seem to come in waves, and we have definitely seen a nice little tidal wave of virus activities in the first half of this year. But I don't necessarily see a trend in that direction. Someone will always come up with something new to give us heartbreak. This is an arms race. As good as the security side is, there will always be something on the other side. The goal is a reasonable level of security for what you are trying to accomplish.
Q: Should companies identify critical assets that need to be protected?
A: It's very hard to implement any rational security policy without making an assessment of what your assets are and which assets are most important to the operation. Companies must do this to appropriately protect those assets.
* See Product Focus "Preparing for a denial strike", page 42, for methods to cut the risk of an attack.