As part of McAfee's participation in E-security Awareness Week [0], I've spent the last three days talking directly to customers at an Executive Summit we hosted in the Hunter Valley in New South Wales, and gleaned some of the challenges organisations are currently facing.

In the context of what challenges face CxO's and security managers when it comes to better securing corporate networks and managing risk, there is a definite sense of this being a "work in progress". Their call was to make the proposition simpler while providing higher levels of protection and compliance.

These stakeholders understand the evolving complexity and escalation of threats to their organisations and their data.  On the one hand they are witnessing a proliferation of "smart" devices, many of which are being carried into the office and connected up to the corporate network without being properly checked for malware or not having the disk encrypted in the event of the device being lost.

On another front, people are making greater use of a plethora of new platforms and services to share information and communicate: Social networking sites, IM, VOIP, Web 2.0, SOA and other style technologies.  These have introduced a whole new set of vectors for compromise or data leakage.

At the same time, malware numbers, phishing attacks, targeted attacks and general subversion for gain is on the rise in a fascinating pattern of drama that arguably warrants another Harry Potter series. For example, McAfee has seen an increase of 60 percent in terms of malware numbers in 2007 over 2006 and our Avert Labs are detecting upwards of 370 new instances of malware per day.

As I catch you thinking "so what", let's get back to the thinking of the corporate stakeholder. They are acutely aware of their role to appropriately weigh up the aforementioned challenges, represent risk to the business and recommend appropriate responses based on the organisations appetite for risk. 

However, many I've spoken to in recent days talk about the challenge of having to justify the money they spend on IT security, and the related challenge of integrating this investment into broader corporate outcomes.

This has been a perennial challenge when it comes to justifying a budget for IT security or justifying the next dollar spent on further measures.  There was consensus that there are ways to track and measure both spending and outcomes, provided a strategic and considered approach is adopted.

Applying this type of thinking to the Capability Maturity Model (CMM) which addressed an organisation's definition and maturity of processes, organisations can start to plot their levels of maturity of their security and risk posture while contemplating the commensurate value to the organisation.

The first level, "Secure", involves hardening the attack surface via implementing technologies and procedures into the corporate infrastructure. This requires a mixture of the actual technologies, plus adopting procedures associated with how security technology is updated and refreshed.

Level two, "Compliance", typically covers how organisations set policy and set up about ensuring policy adherence. It must be said that one may be compliant without being secure. 

Being "Predictable" is level three and introduces quantitative and qualitative metrics derived from among other things, knowing the state of the physical infrastructure, correlating the IP assets against known vulnerability and threat databases and understanding security procedures and policies.  Having meaningful metrics enables a more sophisticated discussion with the business rather than relying on scare tactics to secure their support for the next important project. Not only does this contribute to an improved security and risk posture, but it also aides the often dreaded explanations to auditors, executive management and regulators about how and where due diligence was applied in mitigating threats and protecting customer and corporate data.

Level 4 of this maturity model refers to the concept of "Optimisation" - how integration of technologies begin to reduce overall cost and complexity while adding incremental business value.  Organisations want to see more done with less tools, calling for providers to offer multiple layers of protection and levels of compliance from technologies that don't require multiple agents, management consoles and reporting engines.

In a time where there may be a shortage of fear and in places a lack of accountability, adopting a capability maturity approach to security and risk may help us communicate and generate more meaningful business outcomes.

Gavin Struthers is the Australia New Zealand regional director for technology security vendor McAfee.

McAfee  [1]is an official partner of the National E-security Awareness Week [1].

________________________________________________

Visit www.StaySmartOnline.gov.au [2] for details and step by step information on e-security.