Risk management seen as key to IT security

Computerworld - PALM DESERT, Calif. -- In IT security, emotional reactions, panic and legislation are counterproductive. But intelligent risk management can enable organizations to face an uncertain future optimistically.
That was the message from Merrill Lynch & Co.'s security chief to attendees at Computerworld's Premier 100 IT Leaders Conference here yesterday.
David Bauer, first vice president and chief information security and privacy officer at Merrill Lynch, gave his audience a historical perspective on the evolution of IT security, starting with the Morris worm attack of 1988. That attack took the Internet by surprise, he said. There were no tools to fight back and no source of reliable information. Responses were uncoordinated, and the result was "complete havoc," Bauer said.
He contrasted that with the Mydoom attack last month, when Merrill Lynch combined good tools with a coordinated and carefully planned response to understand and contain the threat after just one infection. That attack, he said, was "just another event."
"The difference between then and now is tremendous," Bauer said, "and preparation is the key." Preparation requires a focus on risk management, intelligence-driven prevention and response, security at the data-object level and a focus on both the corporation and the individual consumer of technology.
"It's easy to get somebody's password, so make the damage that can be done by an individual as small as possible," he said.
Bauer also suggested that, since IT security is fundamentally a technology problem, it should be handled within the IT operation.
Merrill Lynch's IT security strategy is built around strong organization; threat management, including intelligence, planning and instant response; comprehensive security services; attention to public policy, including active attempts to educate legislators; and agile response to the changing risk environment, he said.
A key component of that strategy is dynamic risk assessment. Using tools such as scanners, log analysis, risk metrics and asset inventory, Merrill Lynch's security group produces a biweekly security brief analyzing and prioritizing current threats. "That allows us to go from a circle-the-wagons approach to intelligent risk management," Bauer said.
In response to audience questions, Bauer said that as a percentage of the IT budget, Merrill Lynch's security service costs less than that of any competitors. "It's not about how much you spend but how well you spend it," he said. "We're not making vendors rich, but if we buy something, we use it."
He also noted that about half of his spending is advisory, helping the company build secure systems, while the rest goes toward risk management, prevention and response.
Bauer addressed the problem of legislation, which he said drives up costs and takes resources away from actual risk mitigation. "Part of our strategy is our Legislative Watch," he said. "We try to keep ahead of legislators and influence them, if not to cancel legislation at least to word it properly." He urged all corporations to do the same.
Looking ahead, Bauer predicts that the threat picture will be "interesting." But with defenses built around thoughtful planning, he said, "I'm optimistic about our chances for success."
Complete preconference survey results (registration required)