Print
Discuss
Send to friend
RSS feedsIT Week: As head of information security in northern Europe
for professional services firm Ernst & Young, how do you rate the importance
of human
factors in IT security?
Seamus Reilly: They are extremely important, but many IT people are not very good at impressing on business users how important security is. They need to be able to talk in the language of business to get this message across. For example, they need to be able to clearly explain to users when it is appropriate to use encryption. Firms’ policies should be easy to comply with; staff will not abide by a policy if compliance is too onerous. Also, there is no use having policies if you don’t give your people the tools they need to follow them.
Biometrics have long been touted as the answer to identity and access
management problems, but to what extent are firms deploying these
technologies?
Many firms have had technical trials, but few have launched full-scale rollouts.
Sarbanes-Oxley was a massive driver for the improvement of controls in IT. A lot
of firms came up with a tactical solution to meet regulatory requirements and
now they are stepping back and looking strategically at security, seeing what
they need to meet efficiency demands. The jury is still out on identity and
access management. It’s a challenge for our clients to work out what to do in
the identity space. People should look at the key things they need to achieve.
Do you think physical and network security is finally converging,
despite the silos in many organisations?
Some of our clients are looking to bring them together. There is often a
disconnect between the two that some organisations are overcoming, but there are
cultural issues too. Another key issue is contract staff. Most organisations
have a centralised HR database, but what about the temporary contractors? What
access rights should they be granted?
How have your e-commerce customers minimised their exposure to fraud?
Online fraud is still at a relatively low level, despite the publicity
it attracts. Any organisation that carries out online transactions should be
looking at what can be done to prevent fraud in the first place.
A recent Forrester Research report suggested the role of the chief
information officer (CIO) would eventually split to produce IT general managers
and business-change agents. Do you agree?
Businesses’ priorities are always changing. One year a company might
want a strategic CIO to get it into new markets, while the following year it
might want to concentrate on service delivery. Organisations want different
chiefs at different times, and smart CIOs will recognise that and sell
themselves accordingly. Both types of CIO must engage with the business. We are
finding business people from a non-technical background taking on the role, but
we are still not seeing CIOs become CEOs – it’s a hard move to make because
they’re still regarded as IT people.
What are the career prospects for IT security professionals?
There will always be demand for people who focus exclusively on security work.
Higher up the executive ladder will be those security specialists who can
demonstrate an ability to deal with new business challenges. There is also a
need for professionals who can act as a bridge between the security specialists
and the business-change agents.
del.icio.us
Digg this
reddit!
