Security / Opinions

I was having lunch last week with the senior executive for one of the large agencies in the government organization where I work, when I asked about the agency's information security officer. I'd heard that the ISO had left his job rather quietly and quickly a few weeks earlier, but I hadn't been able to get a clear answer or reasonable explanation as to why. This isn't as strange as it may sound. Our government organization is very decentralized, and the agency ISOs don't work directly for me. I don't have any real authority over them other than to ensure they institute the enterprise security policies within their agencies (but that's a whole different story).
The senior executive told me that he'd been meaning to bring me up to speed on the situation but that it was very complicated, and after the ISO left, he didn't feel a sense of urgency to close the loop. Because the senior executive was relatively new in the position, he'd spent some time trying to get to the bottom of the whole situation himself. My antennas were now wagging in anticipation.

There's been a lot of discussion about banks carrying liability for internet banking fraud this year, not least because of attempts by some institutions to move partial liability to customers in the event that they are ripped off when they lack adequate computer security.
If there was ever any doubt about what customers stand to lose through such a move, it was painfully played out in a case that came before the Supreme Court of Victoria in November.

With the explosion of communications technology has come two trends that seem at once inexorable and logically interrelated. The first is employees' growing use of company resources, particularly computers and internet connections, for personal business or recreation while at work.
ComScore Networks found that, excluding auctions, 59 per cent of all web purchases in the United States in 2001 were made from the workplace.

How much do you think a business system is worth? The usual answer to this question would be the purchase price minus any depreciation. Yet in my experience that is rarely a true reflection of the value of these applications to the business. These systems are embedded in the organisation. Processes flow from them. They are instinctively utilised by employees. They are frequently adapted to specific business requirements. If they stopped working tomorrow it would create havoc in many companies. The reality is they are worth considerably more than many executives appreciate.
Yet even the name given to established business systems highlights a certain lack of appreciation towards them. The term ‘legacy applications’ implies something old fashioned, inherited or long-in-the-tooth. Unfortunately in IT there can always be a temptation to confuse the new with the better. There is a lot to be said for a robust, dependable legacy application. You know it works and you know changing from it will bring significant disruption to the business. Replacing an application can require extensive staff training and modifications to work practices while, at the back of the mind, is the uncertainty as to whether you will be any better off in the long run.

There's been a lot written in the past few years about the declining state of internet security that has been aimed at firmly entrenching a permanent state of fear into the minds of executives and the public at large. You know the stuff: horror stories about corporations crippled by digital nasties because they forgot to buy the right product.
Five years ago it was viruses, worms and denial of service attacks that could bring any network to its knees. Three years ago it was locking down networks against penetrations that could compromise sensitive information and bring disgrace on technology managers.