[ISN] Security is about people

Tue May 16 05:12:12 EDT 2006

http://www.smh.com.au/news/technology/security-is-about-people/2006/05/15/1147545264723.html

By PATRICK GRAY
May 16, 2006

Australia's foremost private IT security organisation says throwing
money at technology problems will not fix them. AusCERT is bringing
the world's most influential data security experts to meet executives
at a conference on the Gold Coast to find better solutions.

Representatives from Qantas, government, banking and an energy company
are to attend.

The open forum to take place next Monday - the first day of AusCERT's
annual conference - aims to educate senior executives on their
responsibilities and personal liabilities concerning information
security, says AusCERT program manager Mark McPherson.

"We're trying to provide a forum for a different style of audience,
it's an experiment," Mr McPherson says.

So-called techno-philosopher Richard Thieme - one time seminarian, now
IT visionary, speaker and author - will speak on the role of
propaganda, public relations, illusion, misdirection and ridicule in
the world of information security.

Bread and butter issues, such as teaching students to write secure
software, will also be covered.

AusCERT consultant Richard Forno says security is not just a
technology issue, "it's a cultural issue".

"We're in the habit of throwing technology and money at a problem
instead of looking at the people and why we do things a certain way,"  
he says.

Mr Forno, who also works for Washington DC-based consultancy KRVW,
will deliver a two-day seminar on secure software design. He will also
deliver a presentation on the incident-response capability he built
for the US House of Representatives in the mid-1990s before incident
handling strategies were in vogue.

He says that a lack of accountability is a grave concern for security
conscious corporations. "The industry focuses on the technology,
because frankly it's easier," he says.

"There's little accountability. We've got HIPAA (the health records
and standards act) and Sarbanes-Oxley (which covers the financial and
accounting sectors) but there's no incentive to do more than meet the
minimum criteria."

Steve Manzuik, of eEye Digital Security, intends to rattle the
skeletons he says are in Microsoft's closet.

Mr Manzuik says the rate of technological change transforming the
security industry has slowed. "People are starting to realise that
signature-based stuff is a waste of time," he says. "When it comes to
having to deal with new threats I don't think it's slowing down but as
protection technologies go things are becoming a little more focused."

Generic protection mechanisms built into operating systems are a good
start but the "people factor" can never be underestimated, he says.  
"No matter how well we do with fixing operating systems it will always
come down to how aware people are."