Ed: Hi Barry and thanks for spending the time with Infosec Professional.
How has information security changed in the last 3 years?
Barry: As more companies expand their core operations to include web or cloud based services, the potential for compromised information flow and financial losses has grown exponentially. Identity management is extremely difficult in the virtual world and even the most routine interactions can have severe consequences. Most business leaders feel the pressure to have a presence on social media without a clear understanding of the risk/reward ratio of doing business in the “Wild West”. In my prior experience in corporate America most losses of intellectual property or business information were inside jobs. Now the losses can occur without the management team even being aware of the breach. As unsettling as these prospects are, they pale in comparison to the threat of the liability and business killing publicity associated with having losses of customers’ and employees’ private information. Awareness of the problem is high but solutions are expensive, often ineffective and can inhibit organizational productivity.
What do you think are the main threats facing organisations in 2012?
Barry: Other than a growing exposure to a major incident, I don’t see anything much different from the current issues in securing access to physical places and information systems. Protection from real financial loss and increasing liability for stored data are still the two major concerns. That being said, there are other localized or niche issues that are trickling down in the commercial marketplace. From health clubs to construction sites, identity management and productivity losses can cost companies dearly in a time when profit margins are slim and the viability of the business is threatened.
Are organisations ready to deal with those threats and what can they do to protect themselves?
Barry: Some are some aren’t. Larger enterprises have solid security plans and measures in place. In my opinion, smaller organizations are open to finding a solution but they are not getting good advice or consultative services from their vendors. Most security technology companies are small relative to their potential customers and approach the sales process from a narrow point of view involving their particular product or service. Organizations that develop a holistic security plan and engage vendors who openly collaborate for the customer’s benefit will reap the greatest rewards. It starts with a strong in-house or contracted service for IT integration. Once that is in place, working on specific problems for performance improvement follows a well known path and enables the user to select the appropriate solutions. The best protection is to develop a plan and an implementation program. Getting started is the difficult task and sometimes you just have to take that first small step out of the comfort zone. On the vendor side of the equation, there is still a lot of technology and very little supportable product. Choose wisely.
The last 3 years has seen global organisations make significant in roads to protect data from a logical and network perspective. Does physical access control need to play a greater part and are organisations aware of it's benefits?
Barry: Physical security is becoming more significant for several reasons. As the economy has weakened, the workplace is less stable and the potential for damage through vandalism by disgruntled employees in on the rise. Add to that the threats of anything from terrorism to Occupy Wall Street mischief and the physical environment is highly vulnerable. Theft is always an issue but increasingly so in a down economy. Innovations in biometric modalities such as facial recognition and iris scanning can increase productivity and reduce cost of use while significantly improving security. One of the first places an organization should examine in a comprehensive security program is physical access control.
Infosec has now become it's own profession, with job titles, budgets and certifications. What challenges do infosec professional face on 2012?
Barry: The biggest challenge in our industry is the velocity of change. Information security is an arms race as the opposition keeps upping the ante and we play defence by applying countermeasures to threats. Speaking as one with a loud voice to increase the criminal penalties for online activities that cause damage is one opportunity. Information systems terrorists are just as lethal to our economy as those that do physical damage to infrastructure. Deterrence is our greatest challenge.
What are the key questions your clients ask when looking to select a product or services offering? Experience, RoI, cost etc?
Barry: Our clients seek all of the above with an emphasis on ROI. Cost will decline as acceptance and volume increase. ROI is the first barrier that must be overcome. Most companies tend to overestimate what can be done in a year and underestimate what can be done in ten. The advances in the last 10 years have made biometric solutions cost effective. The next 10 will be amazing.
With the global credit crunch effecting budgets across all areas, is security now seen as a luxury good for many projects?
Barry: Security is looked at by most companies as a cost of doing business and if my competitor isn’t investing, I can let it go too. My personal opinion is that security can be a competitive advantage if it increases employee productivity and decreases cost. It is our job to design and implement solutions for our customers that do just that. Technology should facilitate the provisions of better security and lower the cost of ownership to the organization. I believe that is possible today.
Ed: Thanks Barry for your time today and giving us your insight.