Strategic Issues For Information Security Managers - Essay Example

 Strategic Issues For Information Security Managers I. Introduction According to Shetcliffe (2004), “Information security is about protecting the information [managed] in…business, so that its confidentiality, integrity and access is diligently controlled through prudent security procedures. By managing information securely [one] serve[s] the best interests of [one’s] customers, business associates and employees, as well as the professional reputation of [one’s] organization.” Four areas are key to information security (Siponen, M., & Oinas-Kukkonen, H., 2007): “…Information Systems, secure communication, security management, [and] development of secure Information Systems.” II. Information Systems “Information security is primarily concerned with the confidentiality, availability, and integrity of data. Technical mechanisms, such as firewalls, honeypots, and intrusion detection systems (IDS), are used to create a virtual wall between the organization and the Internet…one must also recognize that employee behavior affects security” (Huebner, R., & Britt, M., 2006). As on can see, there are various physical elements that go into information security. Information systems play a large role in this. Firewalls are common, as they protect PCs and laptops from viruses on the Internet. Virtual walls are important in order to streamline information and make it suitable for company use. Information systems are one of the key driving forces in information security. Without security there could be no systems. Most prevalent nowadays is the necessity of information security professionals to be on top of problems which deal with breaches of security. Perhaps heard about more recently was the hacker named HackerKroll, an individual who hacked into various corporate accounts at social networking site Twitter. This hacker found a pattern in Twitter’s system, also related to Google accounts and Amazon.com accounts, that had an effect on how the system was operated. Passwords for these organizations, as well as Facebook chat, was regarded as unsafe after this unidentified individual user HackerKroll revealed certain insecurities in not only Twitter’s system but other systems as well. The TechCrunch web site displayed a letter written by HackerKroll which went into quite a bit of detail about the information security breaches at Twitter, now known as Twittergate. The reason this problem caused such a stir was because senior advisers at Twitter had had their Twitter accounts hacked, and this also led to a vulnerability in advisers’ e-mail accounts as well. This undoubtedly angered many head honchos at Twitter and caused a scandal. The fact that TechCrunch allowed HackerKroll’s open letter to be published on its site was widely criticized. “Why would TechCrunch openly give other potential hackers, a.k.a., the public at large, any potential opportunities to hack the system by letting HackerKroll’s salient information be released?” Technically, one wonders why indeed TechCrunch would have released such a document. Surely, one must think, this is a folly. Why would one hacker’s comments about the very system he hacked be allowed to be publicized on the very web site that is supposed to be joined to Twitter at the hip? One potential reason that TechCrunch allowed HackerKroll’s letter to be displayed on its web site perhaps had something to do with the reason that perhaps releasing this information would somehow trick other hackers into following similar steps that HackerKroll did, thus revealing weaknesses in the system. Inversely, this could also affect potential hackers. If new hackers tried HackerKroll’s old tricks, perhaps TechCrunch was phishing for hackers, practically inviting hackers to try what HackerKroll had done—precisely so that Twitter could find and prosecute anyone who had ideas about performing similar actions. This was most likely done as a preventive measure, and probably advised by technical staff outside of Twitter. “At a global level, key drivers include legislation and technology resulting in changes that include moving from cost to value propositions and from metrics to performance indicators” (Anon, 2008). Perhaps until there is some kind of legislation in place that specifically bans certain kinds of hacker activities, problems like Twittergate will continue to crop up. Technology certainly has changed, as well as adapted over time. Now there is a program called TrueTwit which automatically checks that Twitter followers are indeed real people and not spam or spambots (also called bots). This program TrueTwit also automatically sends DM’s (direct messages) to new followers on Twitter, one service provided by this organization. This is mainly because spambots can also be phishers seeking information from Twitter users, perhaps to hack accounts. Just a few days ago, one of the trending topics on Twitter was a hashtag called #Victoria’sSecretGiveaway. It was later found out to be a scam associated with people who were phishing for information, or information mining. According to Colby (2005), “[Today’s] [c]omputer security issues…marketplace focus on threats from external sources. Network administrators are on guard for vulnerabilities and ways to ensure that the perimeter is not breached, monitoring network traffic for unusual activities and anomalies. It is assumed that malicious intrusions and threats will come from external sources.” External sources, in this case, are usually hackers. Rule number one of hacking is, “Never get caught.” This is one reason why so many hackers are usually effective. So far, really in information systems, information security is still not a priority obviously in the U.S. as one shall see later on when security management is discussed. The problem of hackers is a big one, however. Hackers threaten information security by finding breaches or compromises in a system such as Twitter and then either expose those breaches and/or use the security breaches to cause havoc. Obviously this is a major problem, basically because the number of hackers out there is potentially unlimited. So, the risk that an information system will be hacked is very high. This is why companies should spend the extra money to invest in good information security systems and information security managers. These are complex issues facing IS professionals, and, as such, one should be aware of them. That brings us to the next point. III. Secure Communication Quickly, “…information security is now being perceived as a business enabler rather than a business expense” (Anon, 2005). Clearly, businesses that don’t have security systems in place to control their management should seriously consider it. After all, if Twitter accounts are compromised, for example, then hackers could tap into the DM’s on Twitter and read peoples’ personal messages to each other on the social networking site. This is a scary concept, generally because it means that no comments are safe from public scrutiny, even ones meant to be private. Case in point, President Obama made a comment off-the-record that disparaged Kanye West, and a reporter quickly and summarily tweeted this on Twitter. It was meant to be a private comment and not a public comment, but nonetheless the public heard about it anyway. Therefore, it should be unsafe to assume the fact that any kind of technological communications of any kind are privatized or protected. One must always assume that Big Brother, or a hacker, or someone else, is listening, watching, or reading what was otherwise thought to be private material. Rapidly, the U.S. is evolving into a country where no comments are considered sacred enough to not be fit for public consumption. Americans live in a very public society now, and there literally are no secrets. This is because secure communication is basically an assumption, but not a given. What with telephones being tapped due to the Patriot Act and so forth, no communications, much less those over the phone, can be assumed to be completely “safe” in terms of security. In our technological age, we are at the advanced stage and must presume that all of our communications are being watched by an outsider somewhere. Somewhere beyond Facebook, Twitter, SecondLife, Digg, Del.ici.ous, and StumbleUpon, we have become a society that is fraught with invasions of privacy notwithstanding the government’s subtle yet increasing intrusions on peoples’ private lives. IV. Security Management “According to an article in Communications News (Anon, 2008), “In a global security survey of more than 100 such organizations, 46 percent do not have a formal information-security strategy in place. Despite this lack of a formal security strategy, 69 percent report they are ‘very confident’ or ‘extremely confident’ about their organization's effectiveness at tackling external security challenges.” Part of Americans’ problems when it comes to security management is that they don’t understand the seriousness and weight of the security breach in information systems. “Effective management of information is a key factor in the success and survival of banks and other financial services institutions” (Anon, 1999). Bad information security management is bound to leave a wake of destruction in its path. Editorially speaking, we know from such security breaches as Twittergate (most recently), that it is precisely because of poor security management that Twitter was hacked, as well as the accounts of corporate giants at Twitter. This is not said to make people afraid, but rather educate them on the importance of Internet security. Information systems are likely to be hacked if contingency measures are not put in place in order to counteract the external forces that threaten to cause the demise of a company. Indeed, “…although 80 percent of government workers believe that Federal information systems face significant threats and that information security is important to agency leadership, government workers continue to violate information security policies” (Anon, 2007). There is no good reason for security policies to be violated, and this continues to be an issue within the government. Therefore, other companies and corporations should sit up and take notice that security management is considered important enough to worry about and consider making plans for at the very least. Without a system in place to counteract external threats to information systems, companies will be left vulnerable and open to attack. Unfortunately, sometimes the problems are the managers themselves. “Information security managers spend too much of their time reacting and applying short-term, technology-focused fixes to rapidly changing threats and regulatory and technological environments…These solutions are deficient because many security weaknesses result from poor governance, a dysfunctional culture or untrained staff…” (Anon, 2009). Obviously, one of the problems here is staffing. People need to be adequately trained in order to manage security systems in order to ensure that the transmission of information remains relatively secure. Hopefully, it would remain very secure. However, one must admit that a modicum of human error is very possible when it comes to protecting information systems. The problem lies within the realm, therefore, of human capacity. Humans have the ability to solve virtually any problem, and the problem of security management is primarily a human problem. There just have to be more people willing to be trained in the field as well as have those who are trained in the field to develop more and more skills as time goes on, since the technological aspect of information security changes all the time. Information security managers should be aware of this and thusly have a heightened sensitivity towards these kinds of problems. V. Development of Secure Information Systems “As companies come to terms with the reality that data loss and information misuse will continue unabated despite investments in traditional security measures, they must seek ways to lower their exposure by implementing a strategic and integrated approach” (Anon, 2008). Companies should have enough reasons, in this day and age, for wanting computer security. Financially speaking, many companies simply do not have the wherewithal to withstand a hacker’s attack should an infectious virus or damaging worm affect corporate computer systems. Indeed, major organizations today cannot afford not to have secure information systems in place. Secure information systems are what the public depends on in order to ensure safety and order in an unsafe and disorderly world. Once certain security breaches are made, it may be too late to then put a system in place in order to address the problem. Therefore, preventative measures should be taken in order to ensure that the problem is suitably dealt with before it happens. According to Nelson (2004), “Currently available wireless networking technologies provide many benefits for enterprises—chief of which is increased productivity from the anytime and anywhere access to information…[to ensure] network security [from] vulnerability, [one must consider various types of security].” Wireless security is important because without it no fully-fledged, well-ordered major company in the future will be able to get along without wireless capabilities. Business is happening everywhere around the globe on daily basis, and in order to “keep up with the Joneses,” proverbially speaking, companies will have to be in a technological arms race to see who can develop secure information systems the best that address their security issues, wireless security notwithstanding. VI. Conclusion Today more than ever, information security is at an all-time premium. With the advent of hackers and various cryptology devices, no secrets are safe. Especially in the corporate world, where privacy is relatively taken for granted, major corporations and other large organizations can no longer depend on the old and outdated information systems they once used. They must realize the importance of good information security managers and act upon that knowledge. Companies rely on secure information systems for their survival and should realize that good information systems, secure communication, security management, and the development of secure IS are not cheap but worth the investment for a peace of mind. REFERENCES Anon, 1999. Information security: a critical aspect of information management. [Online] Available at: http://findarticles.com/p/articles/mi_qa5353/is_199905/ai_n21439459/?tag=content;col1 [Accessed 18 Oct 2009]. Anon, 2005. ISC2®-sponsored study says information security professionals are gaining influence in the board room; boards of directors, CEOs and CISOs/CSOs are more accountable for information security and risk management strategies. [Online] http://findarticles.com/p/articles/mi_m0EIN/is_2005_Dec_8/ai_n15925386/ [Accessed 18 Oct 2009]. Anon, 2007. SecureInfo report finds government workers frequently violate information security policies. [Online] Available at: http://findarticles.com/p/articles/mi_m0EIN/is_2007_Dec_10/ai_n21149029/pg_3/?tag=content;co l1 [Accessed 18 Oct 2009]. Anon, 2008. Information security forum lays out vision. [Online] Available at: http://findarticles.com/p/articles/mi_hb3234/is_4_38/ai_n31004038/?tag=content;col1 [Accessed 18 Oct 2009]. Anon, 2008. Organizations now view information security, compliance, and classification as one problem deserving one solution. [Online] Available at: http://findarticles.com/p/articles/mi_m0EIN/is_2008_Sept_25/ai_n28581107/?tag=content;col1 [Accessed 18 Oct 2009]. Anon, 2008. Security still not a priority. [Online] Available at: http://findarticles.com/p/articles/mi_m0CMN/is_3_45/ai_n25123960/ [Accessed 18 Oct 2009]. Anon, 2009. New ISACA business model. [Online] Available at: http://findarticles.com/p/articles/mi_hb3234/is_1_39/ai_n31396815/?tag=content;col1 [Accessed 18 Oct 2009]. Colby, K., 2005. Internet security requires vigilance against viruses, spam: new laws aim to protect computer users. [Online] Available at: http://findarticles.com/p/articles/mi_hb5261/is_10_21/ai_n29215209/?tag=content;col1 [Accessed 18 Oct 2009]. Huebner, R., & Britt, M., 2006. Analyzing enterprise security using social networks and structuration theory. [Online] Available at: http://findarticles.com/p/articles/mi_qa5383/is_200607/ai_n21403077/?tag=content;col1 [Accessed 18 Oct 2009]. Nelson, B., 2004. Wireless security choices. [Online] Available at: http://findarticles.com/p/articles/mi_m0CMN/is_6_41/ai_n6080561/?tag=content;col1 [Accessed 18 Oct 2009]. Shetcliffe, John, 2004. Information security. [Online] Available at: http://findarticles.com/p/articles/mi_qa5365/is_200406/ai_n21350850/?tag=content;col1 [Accessed 18 Oct 2009]. REFERENCES (CONT’D) Siponen, M., & Oinas-Kukkonen, H., 2007. A review of information security issues and respective research contributions. [Online] Available at: http://findarticles.com/p/articles/mi_hb5858/is_200702/ai_n32217125/ [Accessed 18 Oct 2009]. Read More