Put policies before products in IT security battle

24.05.2005
Von Michael Crawford

Two-thirds of respondents to AusCert"s 2005 Computer Crime Survey admit there is still room for improvement when it comes to IT security staff training. Senior AusCert security analyst Jamie Gillespie said education of information security staff is paramount in improving security management.

Speaking at the AusCert conference on Queensland"s Gold Coast, where the survey was released yesterday, Gillespie said respondents admitted education has to be directed to IT security staff so they can more effectively manage the technology already in place.

"Between 98 and 100 percent of companies surveyed use antivirus software yet they are still getting infected; this wouldn"t be happening if tools were employed properly," Gillespie said.

Nearly 70 percent of respondents in the survey said their IT security staff have insufficient experience and training to meet the needs of their organization.

About 79 percent are concerned about the level of security training for general staff, and 76 percent are concerned about the lack of training within their organizations.

The view within enterprises is that more dollars will solve security problems, but it is really about implementing and maintaining the right policies, Gillespie said.

Policy writer and independent security consultant Charles Cresson Wood said putting the value of products before people and procedure had created a dangerous environment. Wood said policies need to be embraced as one of the four "P"s" - people, policy, process and last of all products.

"The information security industry can no longer be seen as an individualized artistic endeavour of technical people. IT needs to be a major business function," Wood said.

"There is a lack of information security policies and poor education related to following policies. The failure of using policies was instrumental in the downfall of one of the world"s most famous chartered accountancy firms."

Australian High Tech Crime Centre director Kevin Zuccato said appropriate education is not about blaming the end user or holding them responsible.

He said education is ensuring a common message is delivered and clearly understood, not about tutoring people on how to use their computer.

Michael Crawford is attending the conference as a guest of AusCert.