Premier 100 Panelist: Security a Drill in Risk Management

Computerworld - Gregory Schaffer is a director in the digital risk management and forensics investigations practice at PricewaterhouseCoopers. At Computerworld's Premiere 100 event last week in Palm Desert, Calif., he shared his thoughts on information technology security during a panel titled "Enterprise Security: Will Only the Paranoid Survive?" He later spoke with reporter Ann Harrison.



Q: Why do so many businesses have weak IT security systems?

A: Network security can be a horribly complex problem that is not easily solved by simply implementing some off-the-shelf system. It's not just a matter of installing a virus checker or intrusion detection software or a firewall; that is not enough.

Even the most straightforward solutions available need to be monitored and maintained and patched on a regular basis to be effective. Ultimately organizations need to look at their own risk management issues and decide what level of vulnerability they can afford. They often will prefer to spend money on something that drives sales and make security a secondary priority, but with the "I Love You" virus, the tables are starting to turn because the damage levels are starting to rise to the point where security concerns can no longer be taken lightly.



Q: Are many companies vulnerable because they fail to patch known holes?

A: Staying abreast of security vulnerabilities and applying appropriate countermeasures is increasingly difficult as systems become more complex and as merger activities require the combinations of systems that were never intended to be linked to one another. New technologies are implemented almost in real time as they become available, and it takes time for security issues to bubble up to the surface and be really addressed. While it's hard for full-time security professionals to keep up with everything, it's really hard for someone who is tasked with maintaining a network and tasked with doing the security piece at the same time.

Q: Should companies seriously consider outsourcing their security management?

A: There are definitely advantages to having people who are security professionals handle security. It is a complicated task, and so it is easier for a security professional that can make these issues the focus of his or her business. It behooves them to be up-to-date and follow the latest trends, not as a distraction from, say, a sales goal, but as a core focus.

Q: Some companies are moving their security divisions to auditing departments. Is this a good idea?

A: In some instances, it is a matter of clout and a way to give security folks greater influence over