Summit Reveals High Security Awareness

Last month’s CIO Forum Asia 2005, held in Hong Kong, sported thesubtitle: “Managing IT for Business Growth.” The confab of industrymovers and shakers focused on the changing role of enterprise CIOs.According to the event’s website, a recent survey by Meta Group “showedthat 47 percent of CIOs had taken on more business responsibilities inthe last year as crucial functions such as customer service and HRbecome increasingly dependent on technology.”

Security first

A panel of Hong Kong-based CIOs tackled the contentious issue ofinformation security in the workplace and how it relates to business.Moderator Thomas Parenty, managing director of Hong Kong-based ParentyConsulting, echoing the confab’s overall theme, described the panel ashaving a solid mix of business and IT experience. “Managing IT forbusiness growth is a thankless job,” said Parenty. “CIOs must be anintegral part of business operations, but on the one hand, you’reasking (CEOs) for budgets to do the right thing, when realistically thebest you can promise is that if they do give you the money, you’llreduce the chance of really really bad things happening.”

Safeguarding info

“Our firm handles 80 percent of Hong Kong’s air cargo,” said Andy Bien,general manager information services for Hong Kong Air Cargo TerminalsLtd (HACTL). “Every piece (of cargo) has a series of informationassociated with it, and we have custody of that information.”

Bien noted that safeguarding this information isn’t the soleresponsibility of the IT department, but the company as a whole.”Mobile devices, including USB drives, pose a new threat,” he said.Bien added that HACTL is planning a major revamp which wouldincorporate “security by design, as retrofitting is difficult.

CIO confidence

“Security never goes away,” said SW Kwok, CIO for Aon Hong Kong Ltd.”It keeps haunting me.” The CIO said that, at her firm, whenever onearea is secured another problem manifests in a different area. “I’veaccepted that it’s a never-ending battle,” she said.

Kwok added that from a management point of view, CIOs may think they’vebeen handed a thankless job as they are tasked with protecting theenterprise from risk, but not necessarily given the funds to do the jobproperly. “Users may not understand all the technological details,” shenoted. “They don’t need to understand, but they need to be aware.” Kwoksaid the proliferation of home computers has helped drive userawareness of the need for IT security.

As far as the care and feeding of CEOs, Kwok said that “it doesn’tmatter what management or users think–CIOs must have confidence inthemselves. They must relate IT security to overall management problemsand priorities.”

“Give them an idea of the benefits, get them excited,” advised Kwok. “Then hit them with the money.”

The AON CIO mentioned that Asiawide resources can best be structured byhaving wealthier countries contribute more of the overall budget whileless-wealthy countries can share resources.

Regulation and trust

“In our industry, security is second-nature,” said Michael Leung,senior VP & CIO for Bank of America (Asia). “We have bankingregulation through the HKMA and SFC, but essentially, we rely oncustomer trust.” Leung said that the HKMA-driven initiative towardstwo-factor authentication earlier this year has helped make Hong Kong aworld leader in online banking.

Leung also said that his bank practices security policies so rigid thateven basic Net services like email are “heavily regulated.”

Effective partnerships

Vince Pizzica, CTO for Alcatel Asia Pacific, said that technology hasbecome so complex in recent years that “it’s no longer possible tounderstand all parts of an IT setup.” Pizzica added that his firm isemphasizing partnerships to “partner more effectively across thelandscape.”

“In the past, it was a hard-wired IT world,” said the Alcatel CTO. “Nowwe must ‘re-create’ those wires (in a wireless environment), largelythrough encryption.”

Locking down the USB

The panel concluded with a lively debate on enterprise-wide securitypolicies. Leung said that at his firm, all removable devices such asUSB drives must use encryption to be permitted. He added that they hadconsidered disabling all USB ports entirely, but that users of deviceslike USB-powered fans found this onerous.

Kwok said that her firm permitted a screen dump/print-out method ofdocumenting information, but Leung said BofA had disabled that as well.”It may be draconian,” said Leung, “but educating the user is thesingle most important security tool in any CIO’s arsenal.”

By Stefan Hammond – Computerworld Hong Kong