 |
Despite rising external and internal threats to information security, senior executives in Malaysia are still slow to invest in IT security. How can decision-makers justify continued investment in information security?
Top IT professionals gathered at the C|Level Asia Executive Insights roundtable in Malaysia last month to discuss the country’s IT security environment, and the difficulty some security administrators face in garnering support from their organizations. Guest speaker Ang Swee Leong, senior manager of technology security risk services at Ernst & Young Malaysia, shared some figures on security threats and the changing trends of information security from the Sixth Annual Ernst & Young Security Survey, conducted last year.
This survey, which covered areas such as the governance, deployment and availability of information security solutions, indicated that a majority of the organizations regard technology as their top information security spending priority.
Reduction of risk is also their top influencer of information security spending. However, security managers are still hard-pressed to make a convincing business case for continued spending on information security.
Here are the excerpts of the roundtable discussion:
C|Level Asia: Let’s start the ball rolling with a discussion on how we can align business and IT objectives, with KC from MasterCard International?
KC: One of the biggest concerns we have today is the implementation of standards. Today, one of the ways people abuse the card is through wire-tapping which can result in massive loss of data through terminal zapping. This is where we advise our members to implement line encryption and this itself is a huge undertaking. Even though we have regulators to mandate this implementation, and the deadline has passed but there are still members who have not done so. The reason is there is no price tag for IT.
Azlan: Recently, the Bank Negara issued what they call the ‘GPIS1’ and we were given from June 1 to September 1 to comply with the security standards, among other things, listed in there. However, there are no specific rules as to what we must have specifically, so it’s left to the IT department to quantify the investment and justify the costs and returns on investment (ROI) to our CEO.
We spend a lot of money on applications, networks and servers but when it comes to security, we get asked a lot of questions. There is a kind of bottomless pit to investing on information security which CIOs like me fear. Ironically, we go back and think about how much do we really lose to fraud? Maybe if you look at it over five years, perhaps the cost of losing to fraud is less than implementing these measures.
 |
Azlan: To a bank, peace of mind does not mean returns.
Ang: We must remember, that unless you’re not a profit organization, you’re ultimately answerable not only to the public, but to the owners of the organization. If you are the least secure bank, then it’s highly likely that your online banking or card business may never take off.
Husin: One of the fundamental flaws of risk assessment is it does not quantify trust or intangible damage. In the case of Internet banking, you find out after doing the risk assessment that losing is much better than doing something, purely because of cost. But we have not factored in trust and confidence of customers towards the bank.
C|Level: What are some examples of internal threats or sources of threats?
Ang: The simplest example is choosing between wire-tapping a merchant for 3,000 transactions or locating someone in a bank who can give me half a million cards overnight. Thanks to privatization of the telecommunications business, today, a maintenance vendor with an appointment letter from [Malaysian carrier] Telekom can service any customer.
So it can be anybody wearing a uniform that can go out there and do the damage.
Ang: Most people think that outsourcing is transferring your risk. Outsourcing actually increases your risk. Your users are not going to care whether you have outsourced this part of your business because they contracted you to do the job. You have to manage your contractors as though they are part of you, which is coming back to the people factor.
You may have control over who you hire but you may not have control over this third party, be it a telco, an application service provider, or even basic security services. However, you should have a say. You have to mitigate your risks by managing your suppliers.
Na: This is where security standards come in. One way perhaps is to ensure that contractors comply with certain recognized security standards.
Hiew: I would think that actual security practices are more important than standards and guidelines. The practices of the contractors you hire are important. We talk about ISO standards that many companies here have, but are there actual practices? How many are compliant after the audit is completed?
Security is a long standing thing, so if the processes that are supposed to be in place are not, then a standard is not going to mean much.
Na: But to be able to pass the audit process, assuming that it’s done properly, you must have been able to do something right. This would help to a large extent in many cases, not to mention the fact that if you want your certification to be renewed, you have to be audited again.
Ang: I think it also boils down to knowing your business, and in this case, it’s information and information security. If you haven’t assessed your business needs and you bought the latest technology, it’s not going to matter.
Similarly with the standards, if you enforce standards where the education level of the end-user is not up to par, ultimately, it comes down to the ability to enforce these standards.
 |
Hanan: At UTM, we have just launched a program called Masters in Information Security. The first intake was in June. We realize that there is a big need for personnel who have a comprehensive understanding of security.
Na: Of course it will help to a certain extent, but what I’m concerned about is getting more experience in the field. Theory is one thing but when it comes to the ground, a lot it is quite different from what you expect.
That said, if an organization has people with enough skills and experience, this can bring information security costs down and make capacity building more affordable.
Husin: I think knowing how to implement and configure security solutions is not the only thing and these are not difficult to learn. The gap is in continued surveillance and analysis, which isn’t as meticulously done. Organizations are not willing to dedicate resources to do is.
What guarantees security is maintenance. You need to formulate trends to tell you that something is not right. This will give value to security and alertness among the specialists. I think this is still the weakest link.
Ang: I agree. Analysis of logs and transactions are key issues. You protect, monitor, operate — nothing to do with whether it is old tech or new tech.
 |
Ang: Understanding assets and risks, and continual maintenance.
Hiew: To have the right workforce with the right skills, and to have the right processes/policies in place for standards.
Hanan: To have policies in place, and to make sure that there is training for the right personnel in place.
Na: Firstly, software vendors must make more secure products. Secondly, everybody has a role to play, so they should be made aware of these roles and be accountable.
Azlan: Awareness of the importance of security, and the realization that time, effort and teamwork are also part of ROI.
KC: Education with the proper material and to make security everybody’s business. We need to inculcate that kind of consciousness.
Husin: Security professionals must be responsible for putting IT security issues beyond just security, and have them aligned with business requirements. This is currently a challenge.
How do we put security as a business issue? We have to move security from a technical to a risk issue. This will create a sense of purpose through which compliance and enforcement will come easier. We have to create security as a culture… It concerns not just one person but the entire organization.
Roundtable participants
• Husin Jazri — director, the National ICT Security and Emergency Response Center
• K. C. Cheng — vice president, security and risk services, Asia- Pacific, MasterCard International
• Nah Soo Hoe — chairman, technical committee on information security standards, SIRIM
• Hiew Pang Leang — acting head, the School of Information Technology, Monash University Malaysia
• Abdul Hanan Abdullah — acting dean, Faculty of Computer Science and Information Systems, Universiti Teknologi Malaysia (UTM)
• Azlan Rashid — senior vice president of IT, Affin Bank
• Ang Swee Leong — senior manager, technology security risk services, Ernst & Young Malaysia (guest speaker)
• Isabelle Chan — senior editor, CNETAsia (moderator)
Play video
There are currently no comments for this post.