Analysts to CISOs: Learn about business

Chief information security officers (CISOs) need to learn more about the business side of the companies they work for to effectively communicate the importance of computer security, analysts said Wednesday at the Gartner IT Security Summit 2005 in London.

The relationship between business managers and IT security employees at many companies is "not very healthy at all" because of communication barriers, said Paul E. Proctor, a vice president with Gartner Inc.

Proctor advised security managers that "The future means that you've got to care about the business."

The most effective companies have a risk management officer, a person who can ideally understand technical security issues but be able to evaluate whether it's right to invest in equipment. That subjective information can be passed along to the business side, Proctor said.

That kind of evaluation is new and foreign to many businesses; however, a handful of companies are successfully integrating the two sides, he said.

The two-day Gartner conference focuses on how IT managers can deal with a range of security issues affecting their companies, including phishing of passwords, government compliance and consumer confidence.

The threats to computer systems have become greater, as people with lower levels of computer skills are successfully causing havoc with credit card information theft and money laundering, said Jay Heiser, research vice president with Gartner.

Awareness is increasing, but businesses are overly optimistic on how robust their systems are, he said. In particular, as more services are included in operating systems, there is more opportunity for unauthorized access.

"We think it's getting better, but we don't see that Windows will be innately secure in the next five years," Heiser said.

Other threats, such as viruses, means that you can't take a machine with the Windows operating system "out of the box and expect it to survive," Heiser said.

In a separate session, Klaus Brunnstein, a professor of applied informatics at the University of Hamburg, said risks come from software that is "full of programming faults." Programs have become so complex that the security remedies for them are also complicated, and it's difficult to identify flaws, he said.

E-mails containing active code hidden in HTML (Hypertext Markup Language) or XML (Extensible Markup Language) may have hidden, malicious content the user is unlikely to see, making it difficult to evaluate the risk, Brunnstein said.

The key to solving security issues lies with both the manufacturers and companies that use the systems, said Bob Bruce, vice president of Mobile Solutions for Nokia Enterprise Solutions.