Cover story
I just read your interview of me in January's magazine. Your article was balanced, did not take anything out of context, and created a very positive impression of ChoicePoint (so I'm told). Thank you! Anytime you want to interview someone, feel free to look me up :)
Aurobindo 'Robin' Sundaram
AVP, Information Security,
ChoicePoint Inc.
Managed services
I read with interest the recent article on "Managed Services Strategy" [November 2005], particularly the key tips to successfully managing outsourcing arrangements. There were some very insightful statements regarding "creating secure infrastructures while maintaining operational flexibility." Other advice included governing managed security service providers (MSSPs) by getting contracts and Service Level Agreements (SLAs) in place.
However, while the article provided readers with sound advice on scoping and selecting MSSPs, it didn't consider the next phase of organizational support. For instance, the implementation of SLAs, the introduction of rigorous processes and supplier relationship management.
If organizations are going to make a successful move to an MSSP, they need to seriously consider implementing a service management framework based on ITIL (IT Infrastructure Library), the IT industry's best practice process. This will provide a governance model that includes all of an organization's IT services (whether delivered from in-house teams or external service providers), encompassing security management.
Some of the ITIL best practice processes include Service Level Management, Problem Management, Change Management and IT Service Continuity Management. The adoption of this framework would support the implementation of security management and provide organizations with greater control. The benefits will also address challenges pertaining to inaccuracy, by removing repeat errors, and a lack of communication and reporting, by incorporating measured service level management.
Making the move to an MSSP is only the start. How it is implemented and managed will determine its credibility and success.
Paul Green,
director, Service Management Practice,
Capita IT Services
Supplier responsibility
Alan Paller's remarks in the SANS International Top 20 report [September 2005], that software suppliers need to take greater responsibility for security issues related to their products, will be met with a warm response by IT managers.
However, his notion that "there is no other solution" doesn't wash. Application security solutions already exist that provide the "seatbelt, airbags and bumpers" that Paller refers to. In the same way that your home wouldn't be secure after fitting dead bolts on all the doors alone, a multi-layered approach to security needs to be adopted. It's similar to installing alarms, bars on windows and security lighting, in addition to securing the doors.
Until software manufacturers work more closely with customers to solve security issues, computer criminals will always stay one step ahead of the game. They will continue to target the security holes that are unplugged, and remain a threat to the very core of what is essential to a business.
Steve Withers,
general manager,
Radware U.K.
Identity theft
The new research that suggests nearly half of consumers are willing to switch to banks that offer more security protection [scworld.com, Nov. 29, 2005], comes as no surprise when you consider this age of identity theft we live in and the recent warning from the Financial Services Authority (FSA) about Mafia gangs infiltrating U.K. banks to steal confidential information and sidestep anti-fraud systems.
The traditional focus of financial institutions on protecting from external attacks has seen insider threat policies loosely adhered to and routinely skirted. However, the fact is that both types of threats carry the same risks. Plus, insider threats are harder to detect.
This is already a significant issue in the U.S., where illegitimate websites now auction stolen personal details to the highest bidder. In some cases, this may be a Social Security number or address. In others, it may be an entire "wallet" consisting of financial, health, identification and other bits of personal information. This year in the U.S., eight Bank of America employees were caught stealing over 700,000 customer records with the express purpose of profiting from the action.
Financial organizations must make customers aware of how they are protecting their personal details. The key to preventing attacks of this nature is automated real-time correlation of security data.
Individual events may pose no obvious threat, yet by correlating them against one another potentially innocuous network occurrences become highly malicious attacks, and vice-versa. This is a fundamental part of a network-wide security information management strategy.
Iain Chidgey,
managing director, EMEA,
Arcsight