The Precarious State of Security in Asia

Security is defined as the condition of being protected against danger or loss. In the Internet Age, information security has become just as valuable and important as is the physical aspects of safety.

Security remains top of mind among security business and technology executives. But how does this trickle down to users and their managers?

Enterprise Innovation conducted a survey of readers to determine the extent to which users are familiar with tools, policies and processes as it relates to security in the enterprise.

How many IT staff do you have dedicated to security?

Among 316 respondents to the survey, about 60% have a small team of between one to five persons within their IT organization to look after the security of their infrastructure. Almost 28 percent claim to have a larger team dedicated to security. Twelve percent do not have a dedicated security staff in their IT organization.

"Except for the very large organizations that truly have a dedicated security team, most so-called security experts in IT organizations actually perform several jobs, security being one of them," said Henry Ng, Professional Services Manager, Asia, Verizon Business. "Compared to the US, there are very few companies in Asia where a Chief Information Security Officer or CISO is employed to oversee the security initiatives of the company. In the organizations where such a role exists, the CISO often reports directly to the CEO rather than the CIO."

Do you struggle to consistently measure security across your enterprise?

Over 51 percent admit that they lack the ability to adequately measure security across the enterprise. Add to this the 24.6 percent of respondents who are uncertain as to how to measure security and you have a population of 75.6 percent of respondents who struggle with measuring security.

This suggests lack of internal awareness of the tools, policies and best practices to enable accurate measurement, and also implies the inability to justify further investments in security beyond basic security tools like anti-virus software, intrusion detection and intrusion prevention solutions.

How do you measure security? Some point solution vendors measure this by the number of incidents that are tracked and/or stopped at the door.

Ng says that his team is often invited to meet customers to solve specific security problems. "When it comes to security, most organizations act in response to specific events. Only a few, and mostly those from very large enterprises headquartered in the US or Europe, have a security strategy beyond the basics," Ng adds.

Can you effectively demonstrate risk reduction and an improved security posture?

The simplest way to demonstrate risk reduction is by keeping your anti-virus software updated. Most corporate users have this process automated for them by IT. As soon as a user logs in to the network, the client anti-virus software scans the server for any updates. Surprisingly only 38.6 percent of respondents claim to be able to demonstrate this posture.

Andrew Walls, Research Director on Security, Risk & Privacy at Gartner, says the only way to demonstrate risk reduction and security performance is to have an effective Security Information and Event Management (SIEM) program.

Gartner research has identified strong benefits in the level of security assurance and the containment of security costs produced through a well-managed SIEM program.

Walls warns that the metrics must be driven by business priorities with the raw metrics (gathered from technical security systems and processes) analyzed and translated into business terminology.

Do you need assistance or support for internal or external audits?

A little over 41 percent believe they need assistance with regards to internal or external audits. Over 42 percent claim they don't need support while almost 15 percent remain uncertain.

On the subject of international standards for information security, Walls notes that Asia tends to be less transparent concerning policies, processes and standards. "The tendency of Asian organizations to avoid exposing internal security practices in public setting leads to some conflicts when western organizations seek to perform security risk assessments and compliance audits. The lack of transparency is often interpreted as a lack of security enforcement within the organization which can lead to adverse audits," he adds.

Do you have to adhere to standards such as Payment Card Data Security Standard, ISO 27001 or others?

Only 20.5 percent of respondents confirm they comply with specific security standards. The standards with the most mentions are ISO 27001 and BS7799.

Close to 54 percent believe they are not mandated to comply with any security standards. Over a quarter of the survey respondents are uncertain whether their organizations should support any standard at all.

It is human nature that we operate in reactive mode, particularly when it comes to security. It should not surprise us that the aftermath of September 11, 2001, companies were scrambling to assess and deploy security policies and processes. Likewise, after the Boxing Day earthquake in Taiwan on December 26, 2006 that knocked out the undersea communication cables, people scrambled to figure out if their systems were compromised.

Do you have a structured process or methodology for managing enterprise-wide security initiatives?

Having a structured process for managing enterprise-wide security initiatives is a rarity in Asia Pacific. Not surprisingly only 26.3 percent of respondents claim they have a structured methodology for securing the organization. Many more (38.2 percent) believe they don't while a worrying 35.6 percent are uncertain if such a process exists at all.

The remaining two groups total 73.8 percent - a figure which should be a cause for concern for regulatory bodies and an opportunity for security experts seeking to offer their services to the market.

Are you confident of how to prioritize security efforts and allocate resources?

The ability to prioritize implies knowledge. The survey respondents clearly underestimate the size and complexity of executing security policies and strategies. About 45 percent of respondents claim they are confident they know how to prioritize security initiatives and allocate resources.

In reality, based on discussions with experts this is often not the case. It is possible that this perception is largely in the belief that security is nothing more than deploying a combination of anti-virus, intrusion detection and prevention solutions.

Do you find your existing security controls effective in protecting you against threats, worms and viruses?

The majority (61.9 percent) of respondents believe that their current setup is effective in controlling breaches caused by worms and viruses. They say it was over confidence that spelt the demise of Napoleon

Only a minority (17.9 percent) are pessimistic about their infrastructure's ability to contain and counter threats and a slightly higher percentage (20.3%) remain uncertain as to the effectiveness of their security initiatives.

Do you have third party validation or certification to provide or meet compliance requirements?

The confidence of respondents as to the effectiveness of their security initiative is dampened by the inability to actively measure or validate the effectiveness of security measures as it relates to meeting compliance requirements.

Only 35.7 percent of respondents have third party validation process in place. Forty-four percent do not use external organizations and this may be substantiated by the 42.7 percent who don't use an external auditor to check their security posture and the 53.9 percent who do not need to comply with any standards.

The remaining 20.3 percent are not sure if their organization are using third parties to conduct certification.

Numerous third party certifications are available in the market for all sorts of security processes. "However, they are only valuable as proof of compliance if the certification is based on the regular assessment of all security practices that are relevant to the standard being applied. The quality of the assessment is totally dependent on the issues raised above: transparency and maturity," warns Walls.

According to Walls, if an organization is not fully transparent during a certification assessment, they may receive the certification but then fail a compliance audit. Transparency is an absolute necessity if your organization is seriously dedicated to managing security risk.

"If the security program does not have well-documented and consistently enforced policies, standards and procedures, then the certification will be based on hearsay and personal assurances by staff. This will not be sufficient to pass a compliance audit," explains Walls.

Compliance is easy if you have a mature and transparent security program with effective metrics. If you do not have these, audits will always be a struggle.

Market Analysis

How much are companies spending on security solutions? According to IDC, $2.9 billion were spent on IT security solution across Asia Pacific (excluding Japan) in 2006. This number is expected to nearly double to $5.9 billion by 2011.

The IDC Asia/Pacific Communication Study of 2006 showed that "Introduction of viruses" was the top threat by a large margin. This signals that despite the maturation of the secure content management (SCM) technology (which includes antivirus, web-filtering and messaging security); viruses are still considered a very real threat to the enterprise IT infrastructure.

This is followed by "corruption or replication of data" and "external hacking". It is also noteworthy that "employee sabotage" also made it high on the list as the enterprises in APEJ have traditionally focused on perimeter defense, or what is commonly known as the strategy to "keep the bad stuff out".

This result shows that many enterprises now realize that there is a need to put in place controls to "keep the good stuff in" too.

Willie Low, IDC Senior Market Analyst of the Asia/Pacific Infrastructure Software Research, says viruses, worms, Trojan horses and other malware will continue to be top of mind issues for end-users. "However, the increasing use of RSS feeds, mashups, blogging, Web 2.0 and other interactive technologies at work will introduce new security challenges to many IT managers and not many organizations are prepared for that," he warns.

"It is no coincidence that we are seeing numerous information protection and control solutions (data loss prevention systems being a type of IPC solution) being introduced to the market lately. We can expect to see more in the coming months," concludes Low.

According to Gartner, the top 3 security issues or initiatives for 2008 in Asia are:

New approaches to IT delivery are exploding into the market. Software as a Service, Virtualization, On Demand Infrastructure, Managed Services, Social Networks, Grid computing and Virtual Worlds can provide enormous benefits in terms of performance and cost, but they also require new approaches to security. To get the benefits companies need to move aggressively to improve their security operation.

The rising prominence of organized crime in network-based attacks is creating new, more focused and effective attack strategies. Mitigation of this threat can only be achieved through a responsive, coordinated and enterprise-wide security program.

IT initiatives continue to take place without sufficient, early involvement of security in the design process. It costs far more to secure a system that is about to be deployed than it costs to secure a system that is about to be designed!

Conclusion

Walls warns that it is impossible to generalize across all of Asia the quality of security practices. He reminds us that as with other areas of business operations, different communities have advanced more rapidly than others due to a variety of factors.

"In general, deployment of security policies, processes and methodologies is performed well in the principal financial centers in Asia, such as Hong Kong, Singapore, Kuala Lumpur, Beijing and Shanghai. The need for security activities is driven by the risk appetite of the business leaders of a company. As organizations grow in size, they tend to become more conservative and risk averse. As a result they demand higher levels of security assurance," observes Walls.

It is therefore natural that companies in financial centers have higher levels of security activities than other industries.

In 2006, Chinatrust Commercial Bank (CCB) conducted a comprehensive examination of its information security environment. The exercise culminated in the company achieving Cybertrust Security Management Program (SMP) certification.

According to Chang Ruu-tian, executive vice president of Chinatrust Commercial Bank, "CCB was able to thoroughly reinforce its information security management program with expertise that help pinpoint weaknesses of existing external information systems, track records of improvements and examine the underlying causes of the problems."

The result is a clean bill of health the bank uses to position itself as one of the most secure financial institutions in Taiwan.

Ng suggests that successful security initiatives have several characteristics that ensure they survive beyond the discussion tables (whether at the Boardroom or at the war room where execution begins). "The approach can only be holistic - no piece meal tactical approach can survive long. It must have a starting baseline from which success or failure can be measured against. Initiatives need to be reviewed regularly against prevailing (and perhaps even speculative) conditions," concludes Ng.

Walls offers five best practices in creating and deploying a security initiative:

Understand the business priorities that are driving the initiative.

Determine how you will measure the success or failure of the initiative and negotiate these metrics with the business stakeholders

Prioritize vendors that have local support organizations to assist with design, deployment and management

Involve business leaders and users in the deployment plan to obtain organizational support

Call high, call wide, call often! Make sure that everyone from the CEO down are aware of their role in the initiative and are regularly updated on progress.

Whichever you want to listen to, you have to begin and that time should be yesterday.