Security lessons from San Francisco

Aligning IT security and business and huge increase in web threats were key topics at RSA show

Aligning IT security projects with business objectives and the huge growth in web threats were the key topics at this week’s RSA security show in San Francisco.

A forthcoming RSA survey will reveal that 80 per cent of firms have not pursued innovations because of IT security concerns.

"The next time a new idea comes up, don't start by saying it isn't secure," said RSA president Art Coviello. "The need to link security to information management and infrastructure is better understood today. But when it comes to security impact on business performance, it's clear we haven't hit our stride.”

Rhonda MacLean, chief global information security officer at Barclays, said that some units within the banking giant had taken the decision to lock down USB ports, to prevent data loss. “That's not an 'enabling' way to think about security in business," she said.

But IT security cannot become more business-focused unless senior management drives the agenda, argued John Thompson, chief executive of Symantec.

“Your information security policy needs to be consistent with how you want to run your business,” he said. “The CFO, COO and everyone else in the executive suite are critical to a culture of security.”

Also at the show, Gene Hodges, chief executive of Websense, advised firms to focus on ensuring that unauthorised agents cannot extract critical data, as efforts to lock down devices, networks and infrastructure have failed to deliver robust safeguards.

Craig Mundie, chief research and strategy officer at Microsoft, argued that technology vendors could also help enhance security through co-operation with rivals. “Ultimately, we need collaboration with other people who are building some parts of the products in the system,” he advised.

Microsoft used the event to launch a beta version of its latest Forefront security system. Codenamed Stirling, the system is designed to reduce total cost of ownership of IT security and provide firms with a more fully integrated suite of products to protect them at client, server and network edge level. A key new feature is Dynamic Response, information-sharing technology that enables the system to respond proactively to threats across the various layers of the IT infrastructure, according to Microsoft.

The US government was also represented at the show. Michael Chertoff, secretary of US Homeland Security, told delegates, “We know that a successful large-scale cyber-attack against our country would have very far-reaching consequences.”

But RSA’s Coviello was critical of government actions, saying regulations aimed at combating IT threats were ill-considered. Much of the current IT security regulation forces companies to spend money on “perceived but not genuine security risks”, he argued.

According to Symantec’s latest research, highlighted at the show, tackling web security threats should be a priority for firms.

The firm’s biannual Internet Security Threat Report, covering July to December 2007, found that phishing hosts – computers that host one or more phishing sites – increased from 32,939 in the first half of 2007 to 87,963 by the end of last year, a 167 per cent jump. The number of site-specific cross-site scripting vulnerabilities also rose from just under 7,000 to more than 11,000 during the same period.

The report also pointed to the growing sophistication of the underground malware economy with credit card details reportedly selling from just 20p each.

Mike Maddison, UK head of security and privacy services at Deloitte, revealed that basic web application vulnerabilities exist in about 80 per cent of the firms the consultancy checks, and warned that development processes needed to be more robust.