InfoSec 2011: Most IT chiefs underestimate danger from advanced threats, warns expert

Academic says many security chiefs 'sleep too well at night'

IT leaders were told that they should be more concerned about the danger posed by advanced persistent threats (APT), and less worried about "strangling" the business with stringent security, in a keynote session at InfoSec 2011 in London yesterday.

This was the opinion of professor John Walker, of the school of computing and informatics at Nottingham Trent University.

The term APT is used to describe complicated malicious attacks by IT-savvy criminals against individuals or companies.

"In my opinion there are chief information security officers (CISOs) that sleep too well at night, when they should be worrying about ATPs," said Walker.

"In recent years, during the economic downturn, there has been a churn of CSIOs who are comfortable with the way they deliver security – this is often very dashboard-centric," he added.

"I have seen an emergence of CIOs then reporting on security with this dashboard approach to the board.

"I think more investment should be provided to those on the lower levels where things happen and people know what is important."

Mario Kempton, head of information security for the Serious Organised Crime Agency (SOCA), agreed with Walker that APTs are serious, but added that the threat doesn't keep him up at night.

"Criminals who have very high end technology to specifically target individuals or organisations are definitely out there and the threat they pose is getting worse," said Kempton.

"However, it doesn't keep me up at night, because I feel I understand the threat and we mitigate against it."

Virgin Media's group information security governance manager, Stephen Kerslake, argued that although the threat is serious, the IT department cannot implement all the security it would like to as it prohibits business operations.

"Look at our day-to-day operations. We have got a huge diversity in what we do, we work with business, consumers and government," he said.

"The business has to keep moving, we can't strangle operations with very stringent security," he added.

Ionut Ionsecu, head of threat management for gambling web site Betfair, admitted that he felt he did not have a handle on the threat posed by APTs.

"Do they keep me up at night? I think they probably do," said Ionsecu.

"APTs keep me awake because I often wonder whether I have done enough. Do I understand them?" he added.

"It might be the case that the security industry hasn't yet reached the sort of maturity that allows us to know what we should be worrying about."