The Precarious State of Security in Asia

Security

is defined as the condition of being protected against danger or loss. In the Internet age, information security has become so valuable and important as is the physical aspect of security.

Security remains top of mind among security companies and technology executives. But how this trickle of users and their managers?

Business Innovation conducted a readership survey to determine the extent to which users are familiar with the tools, policies and processes regarding security in the enterprise.

Many staff have been dedicated to safety?

Among the 316 respondents to the survey, approximately 60% have a small team of one to five people within your IT organization to keep secure their infrastructure. Almost 28 percent report having a larger team dedicated to safety. Twelve percent did not have a staff dedicated to security in the IT organization.

"Except for very large organizations that actually have a team dedicated to security, most security experts called IT organizations actually carry out various jobs, security is one of them," said Henry Ng, Professional Services Manager, Asia, Verizon Business. "Compared with the U.S., there are very few companies in Asia, where a Chief Information Security Officer or CISO is used to monitor safety initiatives of the company. In organizations where this action exists, the CISO to often reports directly to the CEO and not the CIO. "

Do you struggle as consistent security across your enterprise?

More than 51 percent admit they lack the ability to measure adequate security throughout the enterprise. Add to this the 24. 6 percent of respondents who are unsure of how to measure security and has a population of 75 years. 6 percent of respondents who struggle with safety measurement.

This suggests that the lack of internal awareness of the instruments, policies and best practices that enable accurate measurement, and also involves the inability to justify new investments in security beyond basic security tools like anti-virus software, detection Intrusion and intrusion prevention solutions.

How far up? Some solution providers point measured by the number of incidents are tracked and / or stopped at the door.

Ng said that his team is often invited to meet with customers to solve specific security problems. "When it comes to security, most organizations act in response to specific events. Only a few, especially those from very large companies headquartered in the U.S. or Europe, have a security strategy beyond the basics, "added Ng.

Can demonstrate effective risk reduction and a confident stance?

The easiest way to demonstrate the risk reduction is to keep your anti-virus software updated. Most corporate users have this process automated for them by IT. As soon as a user connects to the network, client anti-virus scans the server for updates. Surprisingly, only 38. 6 percent of respondents claim to be able to prove this position.

Andrew Walls, Research Director of Security, Risk & Privacy at Gartner, said that the only way to demonstrate the risk reduction and safety performance is to have an effective system of security and event management (SIEM) program.

Gartner research has found strong benefits in the level of assurance of safety and containment security costs produced through sound management of SIEM program.

Walls warns that indicators should be driven by business priorities with raw metrics (obtained from technical security systems and processes) analyzed and translated into business terminology.

Need help or support to internal or external audits?

A little over 41 percent believe they need assistance with regards to internal or external audits. Over 42 percent say they do not need support while nearly 15 percent remain uncertain.

On the issue of international standards of information security, Paredes notes that Asia tends to be less transparent policies regarding the processes and standards. "The trend of organizations in Asia to prevent the exposure of internal security practices in the public institution leads to conflicts where Western organizations seeking to perform security risk assessments and compliance audits. Lack of transparency is often interpreted as a lack of enforcement of safety within the organization that audits can result in adverse, "he adds.

Do you have to respect the rules, such as payment card data security standard, ISO 27001 or other?

Only 20. 5 percent of respondents confirmed that meet specific safety standards. The rules for the most mentions are ISO 27001 and BS7799.

Nearly 54 percent believe they are not required to meet safety standards. More than a quarter of respondents are confident that their organizations should support any standard at all.

It's human nature operating in reactive mode, especially when it comes to safety. Hardly surprising that the aftermath of 11 September 2001, the companies were trying to evaluate and implement security policies and processes. Also, after the Boxing Day earthquake in Taiwan on 26 December 2006, which eliminated the underwater communication cables, people rushed to find out if their systems were compromised.

Do you have a structured process or methodology for managing enterprise-wide security initiatives?

Having a structured business management of all safety initiatives is a rarity in the Asia Pacific. Not surprisingly, only 26. 3 percent of respondents claim to have a structured methodology to ensure the organization. Many more (38. 2 percent) believe that no, while 35 concern. 6 percent are unsure whether such a process exists.

The other two groups of 73 total. 8 percent - a figure that should be a concern for regulators and an opportunity for security experts who seek to offer their services on the market.

Are you unsure how to prioritize security efforts and allocate resources?

The ability to prioritize implies knowledge. Respondents clearly underestimated the magnitude and complexity of implementing security policies and strategies. About 45 percent of respondents say they are confident that knows how to prioritize security initiatives and allocating resources.

In fact, from conversations with experts often not the case. It is possible that this perception is largely in the belief that security is not only the deployment of a combination of anti-virus, intrusion detection and prevention solutions.

Do you find your existing security controls effective in protecting against threats, worms and viruses?

Most (61. 9 percent) of respondents believe that their current configuration is effective in controlling breaches caused by worms and viruses. They say it was overconfidence that spelled the demise of Napoleon

Only a minority (17. 9 percent) are pessimistic about the capacity of their infrastructure to contain and counter threats and a slightly higher percentage (20. 3%) remain uncertain as to the effectiveness of its security initiatives.

Does the validation and certification of third parties to offer or to meet compliance requirements?

The confidence of respondents on the effectiveness of its security initiative is dampened by the inability to measure or actively validate the effectiveness of security measures referred to meeting compliance requirements.

Only 35. The 7 percent of respondents are third in the validation process in place. Forty-four percent do not use external organizations and this can be justified by the 42. 7 percent do not use an external auditor to verify its security situation and the 53. 9 percent who do not need to comply with standards.

The 20 remaining. 3 percent are not sure whether your organization is using third parties to carry out certification.

Many third-party certifications are available in the market for all types of security procedures. "However, they are valuable only as evidence of compliance if the certification is based on the regular evaluation of all safety practices that are relevant to the rule that applies. The quality of assessment is entirely dependent on the issues raised: transparency and maturity, "says Paredes.

According to Paredes, if an organization is not entirely clear during a certification assessment may be certified, but certainly not a compliance audit. Transparency is an absolute necessity if your organization is seriously engaged in security risk management.

"If the security program are not well documented and consistently applied policies, rules and procedures, then the certification is based on hearsay and personal guarantees by staff. This will not be enough to pass a compliance audit "said Paredes.

Compliance is easy if you have a safety program for adults and transparent with the numbers of troops. If you are not, the audits will always be a struggle.

Market Analysis

How much are companies spending on security solutions? According to IDC, $ 2. 9 billion was spent on security solution across Asia Pacific (excluding Japan) in 2006. This number is expected to nearly double to $ 5. 9 billion in 2011.

The IDC Asia / Pacific Communication 2006 study showed that "the introduction of viruses," was the main threat by a large margin. This indicates that despite the maturation of secure content management (SCM) technology (including web antivirus, filtering, messaging and security), viruses are still considered a very real threat to the enterprise IT infrastructure.

This is followed by "corruption or data replication" and "external hacking." Note also that "the sabotage of employees" was also high on the list as companies in APEJ have traditionally focused on perimeter defense, or what is commonly known as the strategy of "keeping bad things out."

This result shows that many companies now realize that there is a need to put controls in place to "keep the good stuff" too.

Willie Low, market analyst IDC Asia / Pacific Infrastructure Software Research, says that viruses, worms, Trojans and other malicious programs remain top of mind issues for end users. "However, the increasing use of RSS feeds, mashups, blogs, Web 2. 0 and other interactive technologies at work to introduce new security challenges for many IT managers and many organizations are not prepared for that," he warns.

"It is no coincidence we're seeing information protection and control of many solutions (data loss prevention systems to be some sort of solution CPI) was introduced into the market recently. We expect to see more in the coming months "concluded Low.

According to Gartner, the 3 security issues or initiatives for 2008 in Asia are:

New approaches to the delivery of IT are expanding on the market. Software as a Service, Virtualization infrastructure demand, managed services, social networking, grid computing and virtual worlds can provide enormous benefits in terms of performance and cost, but also requires new approaches to security. To get the benefits of companies need to aggressively to improve its security operation.

The growing importance of organized crime in network-based attacks is the creation of new attack strategies more focused and effective. Mitigation of this threat can only be achieved through a coordinated, enterprise-wide security program.

IT initiatives continue to occur without adequate participation, safety early in the design process. It costs much more to ensure a system that is about to be deployed than it costs to ensure a system that is about to be designed

Conclusion

Walls warns that it is impossible to generalize in all of Asia, the quality of safety practices. He reminds us that, as with other areas of business operations, different communities have moved faster than others due to a variety of factors.

"Overall, the implementation of security policies, processes and methodologies performed well in major financial centers in Asia like Hong Kong, Singapore, Kuala Lumpur, Beijing and Shanghai. The need for security activities is driven by the appetite of risk of the business leaders of an enterprise. As organizations grow in size, which tend to be more conservative and risk averse. As a result, demand for higher levels of safety assurance, "said Paredes.

It is therefore natural that companies in financial centers have higher levels of security activities than other industries.

In 2006, Chinatrust Commercial Bank (CCB) conducted a comprehensive review of its security environment of the information. The exercise culminated in the company achieving Cybertrust Security Management Program (SMP) Certification.

According to Ruu-Tian Chang, executive vice president of Chinatrust Commercial Bank, CCB was able to strengthen its safety program fund for information management with knowledge to help find the weaknesses of existing external information systems, history of improvements and address the underlying causes of the problems. "

The result is a clean bill of health the Bank uses to position itself as one of the safest financial institutions in Taiwan.

Ng suggests that successful security initiatives have several features that ensure its survival beyond the debate tables (whether in the boardroom or in the war room at the beginning of execution). "The approach can only be global - not piece meal tactical approach can survive for long. There must be a baseline from which success or failure can be measured against. Initiatives should be reviewed regularly against the prevailing (and perhaps even speculative) conditions "Ng concludes.

Paredes offers five best practices in the creation and deployment of a security initiative:

Understand the business priorities that drive the initiative.

Determine how you will measure the success or failure of the initiative and negotiate these parameters to the business actors

Give priority to vendors who have local support organizations to help with the design, implementation and management

Involve business leaders and users in the deployment plan for organizational support

Call high, call width, call often! Make sure that everyone from the CEO of Down are aware of their role in the initiative and are regularly updated on progress.

Whatever you want to hear, you have to start and that time should be yesterday.