The Changing Role of IT Security in an Internet World
A Business Perspective
Dr. Hannes P. Lubich: Bank Julius Baer, Hohlstr. 602, CH-8010 Zurich, Switzerland
IT security has come a long way since networks were first used to gain unauthorised access to computers, or distribute viruses by e-mail. While IT security was considered a nuisance and an obstacle to the free exchange of information at first, it has now moved centre-stage, defending business-critical systems from unauthorised access. However, we must re-visit the role of IT security once again, because all too often, IT security managers find themselves in the hopeless situation of trying to uphold a maximum of security, as requested from management, while at the same time they are considered an obstacle in the way of developing and introducing new applications into industrial, business and government network environments. Within this paper, some of the difficulties of providing a sustainable and acceptable level of IT security will be discussed in more detail, and elements of an organisational IT security framework will be described.
IT Security, Security Framework, Security Management, Risk Management
The following section introduces some basic concepts of IT security, namely security properties (i.e. "values" that need to be protected), and the corresponding security treats. For a more complete discussion of IT and network security methodology, see e.g.  and .
1.1 IT Security Properties
On a very general level, the "mission statement" of IT security is rather simple, namely to introduce measures that help assess and maintain an acceptable level of security for IT resources (systems, networks, databases, development environments etc). The usual security properties that need to be addressed in this context are:
- Confidentiality: the property that some stored or transmitted information cannot be read (or altered) by an unauthorised party,
- Integrity: the property that any alteration of transmitted or stored information can be detected,
- Authenticity: the property that the identity of the provider of information (in some cases also the identity of the intended receiver) can be proven,
- Obligation: the property that a specified action such as sending, receiving, or deleting of information cannot be denied by any of the parties involved.
While these definitions appear straightforward at first sight, and while sufficient measures such as strong encryption (in particular public key encryption as introduced by Diffie and Hellman, see ), and high-quality digital signatures exist, a large number of conceptual and technical problems make it difficult and sometimes infeasible to introduce and maintain such protection mechanisms in real world network environments – in particular, when these environments do not operate in isolation, but are required to interoperate.
1.2 IT Security Threats
The assessment of security threats can be based on a variety of classifications such as active/passive, internal/external, ongoing/planned etc, which will not be discussed further within this contribution, since their use may vary, depending on the type of organisation or property under attack. However, at the core of any threat, one or more of four basic elements can be found, as shown in figure 1:
Figure 1: Classification of IT Security Threats
A disruption or denial of service usually is easy to recognise (access to information or business processes is no longer possible), but it can be hard to determine and remove the real cause of the problem. In a brute force kind of attack (i.e. physical destruction through fire, or violent acts) one must additionally assume that significant resources must be spent on repair or replacement of damaged equipment. A subtle variation of service disruption is the (hidden) degradation of service quality, e.g. by introducing artificial communication delays, which may disturb the proper execution of a business process, but may not be perceived as an attack.
The fabrication, modification or deletion of information is much harder to detect or defend against, than service disruption, unless specific protection mechanisms are in place. Here also, a broad spectrum of attack possibilities exists, ranging from the modification of individual data elements (such as the sending time of an e-mail message) to the insertion of falsified payment orders or the complete deletion of databases or logfiles.
Electronic eavesdropping, i.e. the picking-up and evaluation of information may be carried out in a variety of ways, from "classic" wiretapping to the gathering of electronic radiation emanating from devices such as screens, printers, telephones, encryption devices, video cards etc. Usually, such passive attacks are impossible to detect directly (unless the wiretap or antenna is detected by chance or through exhaustive physically and electronically conducted searches). Indirect detection (e.g. by "leaking" specific data, whose distribution is intended to locate the path by which the information was picked up by an unauthorised party) is possible, but expensive, and inherently dangerous. Besides attacks on the actual data content, also indirect information such as a traffic or addressing analysis (i.e. who is "talking" to whom, how often, etc.) can be of interest to an attacker.
2. A Methodology of IT Security Problems and Pitfalls
Although many security frameworks and techniques are available today, the overall security situation in many, networked organisations is far from acceptable. Consequently, a growing number of security incidents and criminal acts involving IT systems and networks indicates that substantial problems exist concerning proper planning, deployment and enhancement of IT security measures. The following sections explore some of these problems.
2.1 Technological Shortcomings
Many shortcomings of IT security elements have their roots in technological problems. The most commonly perceived problems are:
- There are too many non-interoperable encryption systems and products, with more to come. It is almost impossible for an organisation with a deployed, inhomogeneous operating system and network infrastructure to provide one standard (i.e. the corresponding products) over all platforms, or to obtain sufficient interworking between a range of (unharmonised) products.
- A generally available public key infrastructure is still missing. While corresponding standards have been available for some time, a common PKI is not yet been provided on the Internet, while many of the regulations concerning digital certificates are still pending. In addition, interworking problems have plagued the rollout of PKI’s and corresponding directories as well as "PKI-ready" products provided by different vendors.
- There is an open debate as to which security services should be provided by which functional layer (network, operating system, middleware, application, presentation). While some have championed IP v6 and its security elements as the end of all security problems on the Internet, it is still unknown (and consequently not reflected in the deployed IT base) which security service elements will be provided (and accepted by the market) as part of the networking base, the operating system, or application services.
- The interworking of a large number of components and the corresponding dependencies create an additional level of complexity, which has hampered deployment of common security platforms. A subtle change in one operating system covered by a security framework, for instance, may imply the upgrade of the security framework (or parts of it), which may in turn imply upgrades in other deployed platforms or upgrades of middleware components and/or applications on these platforms.
- Externally supplied frameworks (such as SAP®) utilise their own "embedded" security modules and methods, which may or may not be compatible with the security model and systems already installed. In some cases, it is almost impossible to obtain enough information about the inner workings of these systems to assess whether the embedded security is up to the standards required from all other systems and applications in the organisation.
- The complexity and openness of interfaces between the organisation and entities in the outside (i.e. untrusted) world poses another problem for a coherent IT security environment., While one financial information vendor, for instance, may give customers a choice to separate a financial data stream from an e-mail channel (i.e. to block any unwanted e-mail gatewaying between the organisation and the Internet through the financial service provider), another provider may opt to code all these functions into one proprietary data stream, thus making it virtually impossible to selectively block e-mail gatewaying.
- Many organisations suffer from severe integration problems when it comes to deploying "just one" IT security framework. Although it has become popular in the IT community (especially in the sales force) to generally term all systems sold and paid for as "legacy" in order to boost next year’s sales, a large number of business-critical systems in the mainframe and midrange area have their own, well-built but incompatible security environments, while they are still perfectly suited to run the organisations business applications. No head of IT would be able to justify the replacement of these investments "just because of IT security".
- As in every software area, bugs and deficiencies also exist in IT security software, as well as in particular configurations. While the IT industry as a whole has learned a lesson with respect to covering up security holes (also thanks to the self-organisation of the Internet community into CERTs and other security communities, see ), such security holes still exist and will continue to exist as the corresponding software becomes even more complex.
2.2 Business / Organisational Aspects
Integrating IT security into the organisational framework and business process can also lead to challenges, which may in turn influence the acceptance and performance of IT security:
- The role of IT security is often perceived as an obstacle for the implementation of new business applications (some have even argued that the only useful role of an IT security officer is to be the scapegoat after things have gone wrong).
- The non-delegable responsibility of organisation’s executive boards as defined in many corporate laws makes senior managers over-sensitive in terms of decision making (in such cases, IT security is usually requested to guarantee 100% security, even for applications and business processes yet unknown).
- Many organisations do not delegate sufficient executive powers for the IT security organisation to "pull the plug" if necessary. As the IT security officer is not allowed to take responsibility for an interruption of the organisation’s service due to a perceived security problem, the organisation faces sluggish response time and inappropriate escalation procedures.
- The outsourcing of parts of the IT service (such as the operation of a company’s PC’s or the data network) adds to the complexity of detecting and repairing security problems, since both the outsourcing provider and the outsourcing client treat their respective environments as "black boxes" with little or no information being available to allow effective problem tracing.
- There is a growing need for IT security specialists (i.e. persons being able to find the "right" level of specialisation and business understanding). In order to increase the interest of employees and educational facilities in this field, active marketing efforts concerning employment opportunities and career development must be made.
- While financial, environmental and other risks have been addressed by many organisations as part of their business, a professional approach towards operational risk management has yet to be deployed on a large-scale basis. Many operational risks (such as the decision whether to stay operational during an on-going hacker break-in, or to shut down as a preventive measure) are currently taken without a formalised decision-making basis.
2.3 Legal / Regulatory Pitfalls
In addition to technical and organisational shortcomings, legal and regulatory issues add another layer of complexity to the provision of a coherent IT security environment:
- Data protection and audit requirements may complicate IT security provision in an international company, e.g. if backoffice or computing services are provided through a centralised service centre which may be located in one jurisdiction, but may be regulated by the jurisdiction imposed by the country where the processed data is originating from.
- Export/import controls on security technology have delayed the introduction of high-quality security products in many IT markets. Although these regulations tend to disappear, they are still stumbling blocks for many organisations. Many software environments, such as the current export version of Lotus Notes®, still use with low-grade encryption, while others, such as the popular Netscape® browser, require active changes by the end user to be able to process high-quality encryption keys., Along the same lines, escrow issues (in particular the mandatory depositing of encryption keys or key information used for third party decryption) have influenced many IT security products (and deployment decisions by customers)
- Another field of legal dispute is centred around certificate authorities and their role as a providers of legally binding electronic signatures. (National) debates in this area range from the acceptance of electronic signatures on formal documents to the content of a certificate (i.e. should the issuer of a certificate be visible in the certificate, or just the certifying authority – this may for instance be a crucial point for banks wishing to deploy digital certificates to their customers, while retaining banking secrecy).
2.4 Societal Issues
Finally, matters of social acceptance and consensus influence IT security as well:
- In many countries, there is an open debate on issues of informational self control versus the right for extensive "data mining" by companies using (and extending) their customer information bases by exchanging them with other companies or marketing organisations.
- It is difficult for many people to determine an acceptable level and consistent method of risk-taking – many operational IT risks do not compare well to risks known to the average person, thus making it difficult to build the required expertise (based on inevitable but expensive errors and misjudgements).
3. A Proposed Definition of IT Security Services
The gap between documented IT security "theory" on the one hand, and the concrete problems of daily life on the other hand, shows the need for a concise, well-defined and well-executed IT security definition and realisation plan, for any organisation that wishes to go beyond the daily fire-fighting style of IT security. The following sections discuss the individual elements of such a service, as well as their interworking.
3.1 Basic Principles
In view of the growth and innovation rate of IT systems and products, it is neither possible nor economically useful to provide maximum IT security against all threats outlined above. Instead, IT security must be focussed on pragmatic, yet concise, asset protection goals and mechanisms:
- Sufficient baseline protection (see  for the general concept) for all IT systems and applications (i.e. no expensive and time-consuming detail analysis per system or application), complemented by classes of additional protection mechanisms, where required and feasible.
- Understanding and usage of one’s own IT security as a business asset (i.e. moving away from IT security as a necessary, insurance premium cost factor, or from IT security as a blocking factor for new business opportunities).
- Observance of all relevant IT security rules and regulations, and use of standardised methods and systems, whenever possible (see  and  for an index of useful online resources).
3.2 Realisation through a Suitable Security Management
The basis for all protection mechanisms is the existence and organisational imbedding of an appropriate IT security organisation. The mere existence of an IT security officer is however still no guarantee for the proper functioning of the IT security management. Essential for the proper functioning are the following aspects (see also ):
- Suitable imbedding of the IT security organisation into the organisational structure and allocation of appropriate instruction power (i.e. "top down" approach with explicit approval from top management).
- Creation and maintenance of a general IT security handbook and appropriate technical and organisational instructions by the individual divisions (i.e. "bottom up" approach by involving those mainly concerning with realisation), based on an appropriate risk analysis.
- Consultation, training, reviews and audits of projects, investments, and IT operations in co-operation with the internal or external revision (both pro-active and reactive)
- Design, set-up and operation of a consistent, restrictive and well-documented user administration and access right assignment, as well as corresponding operational supervision.
- Step-wise integration of IT security awareness and corresponding actions into the organisational culture.
3.3 Realisation Elements and Phases
In order to set up a suitable IT security management, a sequence of inter-related activities must be initiated, which are discussed in more detail in the following sections. Depending on business area and protection need of the respective organisation, the weighting can be different, as well as the sequence and repetition rate of these activities.
Clear Mandate by Senior Management
IT security operates in a permanent tension area between the desire of customers and employees for extensive functionality and usage comfort, and the necessity to enforce IT security related restrictions. Without clear objectives and instructions from senior management and the appropriate cover also for the enforcement of necessary unpopular measures, the set-up of an IT security management is doomed to failure, since with the occurrence of a conflict between business benefit and security issues, usually an unreflected decision is made in favour of the potential benefit, without a proper risk evaluation and – if necessary – an explicit acceptance of the risk by the appropriate decision makers. If IT security problems occur because of such implicitly taken decisions, the danger exists that the responsibility is shifted onto the IT security responsible, without that person having been able to bring in his/her opinion with the necessary emphasis.
In addition, it must be noted that it is not the task of the IT security organisation to already make a balanced consideration of business opportunity and IT risks. This balance and the resulting decisions are a non-delegable task of senior decision makers – IT security only has the task to supply their consolidated views and appropriate reasoning, while the responsible business units, which are usually willing to take a risk on favour of a business opportunity, will supply an opinion from their point of view (This does of course not imply that IT security may operate without in-depth knowledge about the underlying business processes, or may pose unfulfillable IT security requirements.)
The key to sufficient and sustainable support by senior management is the ability to show the additional benefit and business opportunity of a concise IT security management and it’s coherent application. If the IT security organisation succeeds in reaching acceptance in the sense of added value creation, corresponding support by senior management is easier to obtain. Vice versa, missing management support for IT security issues should be interpreted as a clear warning sign both for employees and for customers and suppliers.
Definition of Security Goals
At the start-up of the security management process, goals and milestones to reach these goals must be defined. Since these goals must be accepted by the whole organisation, it is of utmost importance to secure the co-operation and active participation of all business units. Acceptance of the security goals and the necessary measures cannot be reached through directives alone, but requires the active integration of all parties involved. The structure and granularity of the formal security goals may vary, depending on the type of organisation and business area. In general, however, the following sets of questions need to be addressed:
- Why do we need protection?
- Which properties need to be protected?
- What do we protect ourselves against?
- How can we reach this protection level?
- What is the remaining, residual risk?
- Who is responsible for which aspects of providing protection?
Depending on the level of abstraction of the security goals, they are more or less permanently defined. However, long-lasting goals should be re-evaluated after some period of time, or whenever drastic changes are made to the business activities to which they apply.
Provision of a Risk Analysis
Based on the security goals described above, the current state as well as foreseeable risks must be detected and analysed (see e.g.  for a list of risk-related online resources). Such an evaluation cannot be conducted monolithically for the organisation as a whole, but must be focussed on individual fields of activity and with the active participation of the responsible level of management, as well as external specialists, of needed. The typical risk classes, which need to be addressed, are structured as follows:
- Technical risks: threats which influence technical systems (infrastructure, supplies as well as IT systems) and may cause damage.
- Organisational risks: weaknesses concerning processes and structures with respect to the internal and external control system (e.g. bypassing of separation of duties, 4-eyes principles etc.), as well as business recovery and business continuity planning in case of disaster.
- Legal/regulative risks: regulations of the legislator and supervisory authorities which can vary over different locations or counterparts, thus creating uncertainties and risks.
- Business and cultural risks: the willingness to formally accept a higher degree of risk in order to benefit from a business opportunity, and the willingness to reflect this accordingly in the organisation’s senior management’s attitude and in the corporate culture.
Depending on the volatility of the security goals or the analysed organisation and it’s activities, this analysis – if necessary separated in sub-activities – must be repeated and adapted cyclically.
Development of the Security Concept
In the next refinement step, it must be determined in which way which objects (systems, components, networks, data collections etc., as well as abstract objects such as processes and characteristics) are to be protected against specified threats. In this step the respective "owners" of these objects (i.e. both IT and business units) must be involved, in order to achieve both a correct representation and as high an acceptance of the measures as possible. Additionally, corporate functions such as legal services, compliance office, internal audit, continued education units etc. must be involved in the discussion and the decision process. However, it must be noted that the role of these units is increasingly limited on supplying decision bases for senior management and not on obligatory sanctioning or forbidding of fully known business processes and operations. The security concept or the collection of information, which detail the concept, is substantially more volatile than the collection of the superordinate security goals. Contents must be adjusted whenever either the superordinate goals or substantial elements of the organisation are changed (changes in the business activity, mergers etc., or changes to the IT architecture e.g. through outsourcing).
Realisation through a Security Organisation and Guidelines
The IT security organisation, which is responsible for the realisation of the security guidelines, consists of different elements, whose co-operation is essential for success. Members of the IT security organisation usually are:
- Overall responsible for Security on the Board of Directors: The principal functions of this position are maintaining a general overview and providing guidance concerning security methodology as well as sanctioning the obligations and instruction rights of the security organisation. Additionally, this role is responsible for harmonisation of IT security with general business policy, and decision-making where middle management is not allowed (e.g. in case of budget overruns) or able (in the sense of an escalation chain) to make these decisions.
- IT Security Officer: The major tasks of the IT security officer(s) are the planning and operational execution of the security process by defining standards and guidelines, execution of project and operations reviews, as well as special investigations, consultation and advisory services, granting/denying of security requests, assistance or guidance in case of security problems, as well as the general promotion of security consciousness by offering training courses and pro-active reports. An extension to these core functions is the observation of the security market concerning new technical solutions and products, the observation of relevant literature and online information sources, as well as keeping close contacts with other internal or external (standardisation / supervisory bodies, etc.) counterparts.
- Points of Contact in all Business Units as well as with Suppliers and Key Customers: These points of contact are involved as required in case of a security incident or in case of clarifications concerning IT security within projects or during procurement, installation, operation and maintenance of IT products. It is important to make the IT security officer the central point of contact, in order to avoid duplication of work or uncoordinated efforts.
- Line Management and Employees: These persons play a central role in an organisation-wide IT security concept, since they can act more or less security-conscious. It is little-known to many line managers and employees that they play such a crucial role, therefore the creation of awareness, as well as provision of training and consultation for these employees by the security organisation becomes an important success factor.
The described security process, the competencies and the instructions resulting from it must be fixed in writing, be formally accepted by the decision makers of the organisation and issued as binding guidelines. Typically the security goals are issued in form of general security guiding principles by management, while the IT organisation is responsible for all subordinated documents (usually a central IT security manual as well as subordinate technical documentation and collections of security-relevant material). All documents such as work instructions, check lists, decisions etc. intended for daily work, as well as material required for training purposes should be accessible to all employees in electronic form - if necessary protected by selective access rights.
Integration of IT Security into Quality Management
Supervising the observance of instructions and regulations concerning IT security hardly differs in principle from supervising the adherence to other regulations(see e.g.  for the application of quality assurance methods to IT Security). If a quality management system is already in use in the organisation, it is beneficial to merge the supervision and improvement of IT security with the existing quality assurance measures and testing methods (e.g. by guidance during project phases, provision of phase reports with co-ordinated checkpoints, and IT security check lists etc. for projects and procurements). If quality circles, review boards or other quality assessment bodies exist, which are charged with supervising the further development of the IT strategy or IT architecture, IT security should be integrated into these activities as well.
Measures for Continuous Supervision and Improvement
IT security measures must be adapted constantly to innovations and changed interior and exterior conditions. A security methodology becomes outdated as quickly as the IT base it is to protect. The permanent improvement and updating of methods as well as the tools is thus a substantial part of a well-defined IT security process. It is the role of the IT security organisation to continuously carry out this self-check and self-improvement – however, this process must be accompanied by cyclic external examination of the security organisation and documentation (e.g. by external audits or other external specialists). Additionally, improvement suggestions of the employees and the management play a substantial role, as well as constant updating to the "Best Business Practice" and constant comparison with competition organisations in the market.
By intention, this paper has given a rather gloomy view of IT security - while many dedicated individuals struggle to maintain what they assume to be the optimum between security requirements and business opportunities, a large number of problems and pitfalls currently hinders the development of a common understanding of what IT security can do, and what it can’t do.
To this end, this paper has tried to outline elements of an IT security framework and their interdependencies, as the basis for discussion in organisations striving to adhere to the stringent security standards which will be expected from customers and counterparts alike in the near future.
 C. Kaufman et al., Network Security, Prentice Hall, Englewood Cliffs, 1995
 W. Stallings, Network and Internetwork Security, Prentice Hall, Englewood Cliffs, 1995
 W. Diffie, M. E. Hellman, New Directions in Cryptography, IEEE Transactions on Information Theory, No. 6 (1976), 644 – 654
 Deutsches Bundesamt für Sicherheit in der Informationstechnik – IT Grundschutzhandbuch: http://www.bsi.bund.de
 ISO/IEC 13335 – Information Technology – Security Techniques – Guidelines for the Management of IT Security (GMITS)
 ISO/IEC 15443 – Information Technology – Security Techniques – Security Evaluation Criteria – A Framework for Information Technology Security Assurance
Study of Computer Science at the Technical University Berlin 1982 - 1986. 1984 involved in the startup of Telematic Services Ltd (TELES) in Berlin.
1989 PhD thesis on computer-supported co-operative work in the Communication Systems Group at ETH Zurich. Participation in the set-up of the Swiss academic and research network SWITCH, as well as in national and international committees and advisory groups.
From 1989 to 1994 research group leader at the Computer Engineering and Networks Lab of ETH Zurich. 1994 Habilitation (senior lecturer's degree). Various teaching, research, and publication activities in the areas of communication, IT security, distributed systems and operating systems. Participation in international research activities and EU working groups, co-editor of the ACM/IEEE Transactions on Networking.
Between 1994 and 1996 employed by the Swiss academic and research network as head of IT security (SWITCH-CERT). Continued teaching and publication activities and consulting mandates concerning networking and IT security issues.
Since mid 1996 Vice President, and since 1999 First Vice President of Bank Julius Baer & Co. Ltd in Zurich and head of the IT security and quality assurance unit - also responsible for IT architecture and IT strategy aspects of the bank.