Resolving issues of information security
4th March 2002
By Aimie Pardas

TO help local organisations protect their critical information, there is a need to beef up efforts in developing personnel with expertise in information security. Industry experts are calling for a comprehensive approach in addressing information security which includes a sound security policy as well as a supply of relevant expertise.

This rise in concern over the issues follows an increasing number of incidents of information system breaches experienced by local organisations and the likelihood of information leaks due to such cases as industry espionage and corporate spying.

Recent statistics from the Malaysian Computer Emergency Response Team/National ICT Security and Emergency Response Centre showed that 184 cases of breach incidents were reported in the last quarter.

Jagdeep Kairon, chief executive officer of Network Security Solutions (India) Ltd (NSS), said despite possible threats to their information security, organisatons rarely have the relevant skilled personnel and often make the mistake of relying only on systems administrators to tackle the issue.

"The role of a systems administrator is to make sure the network is up and running, but a security engineer has to make sure that the network does not fail in the case of an intelligent and malicious adversary," he explained.

Kairon said as 85 per cent of all security breaches occur from inside the organisation, security detection and response should be administered in layers.

He added that though a significant amount of the breaches has been in security solutions and products, training in information security has often been overlooked by organisations.

Kairon stressed that efforts in developing skills in information security will need to come from all sectors, including the government.

"The Defence Ministry, the Energy, Communications and Multimedia Ministry as well as Malaysian Armed Forces and Royal Malaysian Police, for example, should be involved in this," he said.

Meanwhile, Gary Riske, information risk management partner of KPMG, said that requirements for information security personnel depend on the size of the organisation.

Other factors, he added, are the type of business the organisation is involved in, information that is being protected and regulatory requirements.

So, to generate a sufficient pool of information security experts, more courses should be offered by private and public-backed training houses or an organisation could get an outside expert to help in knowledge transfer.

Palladium Consulting's managing director Mohd Bashir Shariff said producing experts in information security will need a structured training programme.

He added that organisations in the banking and financial sector will be among those that will initially benefit from the programme.