Hiring security consultants to lower risk
21st October 2004 (Computimes)
BY ROZANA SANI

MOST organisations in Malaysia recognise and understand that minimising risk in today's business environment is essential.

Many are fully aware that the safety and security of their intellectual properties and information assets have a direct impact on their daily operations. Nevertheless, many are still unsure of the steps to tackle information security issues within the organisation.

One course of action that many organisations resort to is to invest in the latest state-of-the-art, top-of-the-line security solutions which can be an overkill of technology, said Mimos Consulting Group (MCG)'s senior consultant Wan Roshaimi Wan Abdullah.

"Security problems can be solved. An organisation may have the money to buy what they want, but what they procure may not be suitable. In this case, the organisation needs a third-party consultant to help them work out their level of security posture through a security audit, and eventually specify their technology requirements," he told CompuTimes on Tuesday.

Wan Roshaimi said security consultants like MCG, which is a strategic business unit within Mimos Berhad, are able to chart out a roadmap for an organisation that would specifically elaborate where to begin, what is the right technology to invest in, how much should be allocated for the investment, and recommendations.

Technology, however, is not the only issue. It also involves the people within the organisation and the processes as well as policies. This, Wan Roshaimi said, forms the basis of MCG's consultancy model. These elements are embodied by the services provided by MCG which are defined in four categories - technical consulting service, management consulting service, information security training and managed security solution.

Technical consulting comprises services such as network security audit, application security audit, penetration test and vulnerability assessment, network architectural design and review, and wireless local area network security audit.

Management consulting provides services such as information and communications technology (ICT) strategic planning and information and security management system (ISMS - ISO17799), which is gaining interest from organisations from both private and public sectors.

Information security training is aimed to train personnel on essential security requirements while under managed security solution, MCG provides a solution called Internet Security Surveillance System.

According to Wan Roshaimi, one particular area that MCG is pushing is training as there is still a lack of ICT security personnel/experts in Malaysia.

MCG, he said, conducted three sessions of ICT security training earlier this year, and it will conduct the fourth session in December. Courses provided include Defending Linux, Defending Windows, Security Audit - Principles and Techniques, and Web Application Security - Attacks and Defences.

MCG's thrust in training will continue into next year to focus on incident response and handling, forensics and business continuity.