Summit reveals high security understanding

Von Stefan Hammond

Last month?s CIO Forum Asia 2005, held in Hong Kong, sported the subtitle: "Managing IT for Business Growth." The confab of industry movers and shakers focused on the changing role of enterprise CIOs. According to the event?s website, a recent survey by Meta Group "showed that 47 percent of CIOs had taken on more business responsibilities in the last year as crucial functions such as customer service and HR become increasingly dependent on technology."

Security first

A panel of Hong Kong-based CIOs tackled the contentious issue of information security in the workplace and how it relates to business. Moderator Thomas Parenty, managing director of Hong Kong-based Parenty Consulting, echoing the confab?s overall theme, described the panel as having a solid mix of business and IT experience. "Managing IT for business growth is a thankless job," said Parenty. "CIOs must be an integral part of business operations, but on the one hand, you?re asking (CEOs) for budgets to do the right thing, when realistically the best you can promise is that if they do give you the money, you?ll reduce the chance of really really bad things happening."

Safeguarding info

"Our firm handles 80 percent of Hong Kong?s air cargo," said Andy Bien, general manager information services for Hong Kong Air Cargo Terminals Ltd (HACTL). "Every piece (of cargo) has a series of information associated with it, and we have custody of that information."

Bien noted that safeguarding this information isn?t the sole responsibility of the IT department, but the company as a whole. "Mobile devices, including USB drives, pose a new threat," he said. Bien added that HACTL is planning a major revamp which would incorporate "security by design, as retrofitting is difficult.

CIO confidence

"Security never goes away," said SW Kwok, CIO for Aon Hong Kong Ltd. "It keeps haunting me." The CIO said that, at her firm, whenever one area is secured another problem manifests in a different area. "I?ve accepted that it?s a never-ending battle," she said.

Kwok added that from a management point of view, CIOs may think they?ve been handed a thankless job as they are tasked with protecting the enterprise from risk, but not necessarily given the funds to do the job properly. "Users may not understand all the technological details," she noted. "They don?t need to understand, but they need to be aware." Kwok said the proliferation of home computers has helped drive user awareness of the need for IT security.

As far as the care and feeding of CEOs, Kwok said that "it doesn?t matter what management or users think--CIOs must have confidence in themselves. They must relate IT security to overall management problems and priorities."

"Give them an idea of the benefits, get them excited," advised Kwok. "Then hit them with the money."

The AON CIO mentioned that Asiawide resources can best be structured by having wealthier countries contribute more of the overall budget while less-wealthy countries can share resources.

Regulation and trust

"In our industry, security is second-nature," said Michael Leung, senior VP & CIO for Bank of America (Asia). "We have banking regulation through the HKMA and SFC, but essentially, we rely on customer trust." Leung said that the HKMA-driven initiative towards two-factor authentication earlier this year has helped make Hong Kong a world leader in online banking.

Leung also said that his bank practices security policies so rigid that even basic Net services like email are "heavily regulated."

Effective partnerships

Vince Pizzica, CTO for Alcatel Asia Pacific, said that technology has become so complex in recent years that "it?s no longer possible to understand all parts of an IT setup." Pizzica added that his firm is emphasizing partnerships to "partner more effectively across the landscape."

"In the past, it was a hard-wired IT world," said the Alcatel CTO. "Now we must ?re-create? those wires (in a wireless environment), largely through encryption."

Locking down the USB

The panel concluded with a lively debate on enterprise-wide security policies. Leung said that at his firm, all removable devices such as USB drives must use encryption to be permitted. He added that they had considered disabling all USB ports entirely, but that users of devices like USB-powered fans found this onerous.

Kwok said that her firm permitted a screen dump/print-out method of documenting information, but Leung said BofA had disabled that as well. "It may be draconian," said Leung, "but educating the user is the single most important security tool in any CIO?s arsenal."