Security threats Toolkit

Security problems 'can be conquered'

Dan Ilet ZDNet.co.uk

Published: 28 Sep 2004 12:40 BST

ZDNet UK's IT Priorities Conference kicked off today by focusing on the perennial problem of IT security and hacking -- one of the top five IT Priorities identified by readers as a major issue over the next three months.

Keynote speaker Martin Smith of the Security Company started proceedings at the one-day conference in London's Park Lane Sheraton by claiming that a lot of mainstream IT security solutions lure people into a false sense of security.

"There are some real bad boys out there and we are not ready for them," said Smith. "Security is not about IT, but about information security. There are some real problems, but no one ever does anything about them."

Smith, who has worked in counter-terrorism, said a lot the problems stem the way that company board members -- mostly from an older generation than the technologists within a company -- think about security.

"For me computers are a second language" said Smith. "And it's people my age who are running business. We are terrible at IT because we are ignorant and there are no IT managers on the board."

High-level management support was of key concern to Smith. He highlighted that more IT managers need to sit in boardroom meetings: "IT is never represented at the board. IT gurus are never really considered to be 'one of us', but one of the troops. You need to find a champion on the board.

Smith also tackled the issue of risk analysis and said that if managed properly, risk could be eliminated if companies focused on vulnerabilities.

He also attacked security vendors for promoting fear and hyping the threat. "It is indecently dishonest the way IT security companies talk about hype and solutions", said Smith. "I'm not saying all vendors are dishonest, but look at InfoSec, there are thousands of solutions. But all you really need to look at is half a dozen technologies."

Smith said that 80 percent of threats came down to things like patch management and system errors. 'Sexy' threats like phishing, viruses and cyberwarfare were secondary problems, he added.

In his conclusion Smith said that companies had the capability to conquer security problems.

"The right conditions now exist and we can do this", said Smith. "But the bad news is that most organisations believe they already have good security in place. I know how vulnerable people are because I test them."

"We as an industry have to be more focussed and avoid looking at technology solution when it is the bleeding obvious that always catches us out. And you'll do it by going back to basics."

For all the latest News, Reviews, Comment and Analysis on security see the Hacking Toolkit in Insight here.

You can follow the ZDNet UK IT Priorities Conference live on the online Webcast powered by Macromedia Breeze.