Security that's fit for business

IT leaders are balancing security and investment

Duncan Scott, chief information officer at global property services firm DTZ Holdings, knows how important it is to protect the company’s information assets. Nevertheless, he refuses to be alarmed by the prospect of data falling into the wrong hands.

“My view is that you have to step back and look at security in the round and how much money is spent and what return you get. There is a lot of scaremongering out there and the challenge is to achieve the right balance between investment and protection,” he says.

Scott concedes that security is an emotional issue that can have a profound bearing on an organisation’s reputation. But the high stakes should not cloud spending judgment, he adds. “Security has to be taken in context with other business objectives, otherwise you can end up spending gazillions of pounds and not get what you want. Even if you have an alarm on your home, if someone is determined enough to break in, they will,” he says.

While some companies are reputed to spend up to 15 per cent of their IT budget on security, DTZ aims to be more circumspect. Although security spending will probably increase percentage-wise at DTZ over the next few years, it currently represents less than five per cent of overall IT spend, says Scott.

“Spending may increase as our client base is becoming more insistent on understanding what our security model is. We have banks that are clients, for example, and they are very conscious about compliance,” he says.

Compliance with security standards, such as ISO 27002, which provides best practice recommendations on information security management, can be a contract clincher.

“It is very easy for anyone putting forward a proposal that we should be compliant with x, y and z. The good news is that most organisations do not expect you to be compliant tomorrow, but they expect some sort of programme towards compliance,” says Scott. “Standards make good common sense, but are not a panacea and are onerous and costly.”

The challenge is exacerbated by DTZ’s global operations. “The challenge the global IT team faces is moving security from a country-centric model to ensuring it on a global scale,” he says.

That pressure has convinced Scott of the benefit of standardising on one security vendor’s products across the globe.

“Our core security is around networks and we use the same vendor, Juniper, and the same products. In terms of management and control over the product it makes sense for us, and working with one vendor very closely means we gain better insight and advice about what we can and can’t do,” says Scott.

As well as its core network security, DTZ is focused on ensuring remote staff can connect securely to central systems. “We won’t connect anyone to the virtual private network (VPN) without Juniper products and this policy has spread out from the UK where we have our main work and IT resources. We are tough on enforcing our centralised model,” he says.

Rigour is also being applied to securing the company’s laptops. A decision was taken to replace all desktops with laptops because they are flexible, consume less power and are greener, but the move has security implications.

“It is a particular challenge as laptops move around so are intrinsically less secure than desktops. Data loss is a concern we are addressing,” says Scott.

The threat of data loss is compounded by the current economic downturn as any future layoffs increase the risk of sensitive data leaving with ex-employees.

“We are sure that our laptop approach is right, but it throws up the security issue and we have brought in external auditors to help. It is a challenging time. Although we have no evidence of data loss, people are more nervous about job security so the timing is right to address this as evidence shows that most fraud is internal and presents a higher risk than external security threats,” says Scott.

“We are very careful about what data is on a laptop and encryption will help with this process. Although we don’t want a £1,000 laptop stolen, the mindset is more about the value of the data on the laptops, which is immeasurable.”

The company also restricts what data staff can access through the deployment of Microsoft’s Active Directory technology, which allows it to enforce access privileges. Nevertheless, such controls are only imposed within a wider context of supporting –­ not constricting –­ employees in their day-to-day roles.

“We heavily use the Active Directory features, but we are not using the latest access control technologies. Again, it comes down to how much do you want to invest in security, and there is also a cultural nuance to this. DTZ is a professional services firm and professionals like to be treated professionally. They are not school children and while I am not saying white-collar professionals don’t steal things, they have a job to do and if they were to steal something and it was found out, their career would be over,” says Scott.

Ultimately, Scott believes that moving towards a cloud-based application suite, where data is held centrally, will help solve many security problems and move thinking away from relying on traditional perimeter security measures. DTZ is currently trialling cloud-based services.

“It will give us more centralised control over where data is held and laptops will become less of a security risk. I can see a situation where you only have to protect your own server farm and you can move the steel wall back from the traditional firewall and VPN layer,” he says.

Scott says his focus on delivering business-enhancing tools rather than getting over-prescriptive about security concerns will be tested by the increasing encroachment of Web 2.0 tools.

“Web 2.0 is so important and not understood at boardroom level. We have students asking us what our policy is towards Web 2.0 and unless we embrace it we will be unable to attract the best talent. We have to face up to the fact t hat the new generation will throw current working practices into the bin,” he says. “Restricting access to unwanted sites is prudent, but out-of-date security management practices should not prevent new ways of doing business.”

In part three of our definitive guide to security next week, we examine the key technologies