|
CSI builds security peer group in Asia
Jeffrey Lim / Singapore
CSI, or Computer Security Institute, was formed in 1974 in the US to advocate
the critical importance of protecting information assets and providing education
in this area.
Today, with about 4,000 members, one quarter of whom reside outside the US,
it is the world’s leading membership organisation specifically dedicated
to serving and training the information, computer and network security professional.
CSI Asia will be launched in Singapore and Beijing in October.
Robert Richardson, Editorial Director of CSI, talks about the work of CSI in
the changing landscape of information security.
How will having CSI Asia help IT security professionals here?
There are fewer security professionals in Asia. Their sense of IT security being
a profession is one that is growing and being developed, which was exactly the
case with CSI in the early years, and it was very valuable to professionals
in the US then to know who their peers were, and to be able to hook up with
them formally and informally.
That was a huge benefit that CSI offered, and still does, but in that growth
period it was enormously beneficial. When you do a job, you want to know what
others in the same job are doing, which is exactly what this kind of organisation
offers.
Plus, security is a field that is hard to stay on top of.
You’ve got a lot to learn, but because you get bombarded with lots of stuff,
you also need a filter. A continuing problem is all these little point sources
for security information—every magazine has its own little security feed
or page, every Web site has something on security—which is great but it
does not really tell you what you need to know. Coming from the editorial side
of CSI, that’s what I believe I provide.
How can security professionals in Asia keep on top of things?
We focus on the idea that security is about process.
It’s very easy to become trapped into worrying about the latest attacks,
but my advice is to carve out some time to educate your management about why
you need a plan, why you need an architecture, and why you need top-level policies
that deal with security. Top-level management does not need to have security
expertise, but it needs to have security awareness.
It is difficult to ask upper management for a huge budget for something that
it doesn’t understand.
When you ask for a budget to address a problem like identity theft, management
doesn’t need to know the details but it needs to understand that identity
theft is going to kill the company if it gets out of hand.
What are the three hottest topics discussed by your members in the last three
months?
Firstly, wireless. It is penetrating everywhere, and security here is a big
issue. Next, though it may not be of much interest in Asia, compliance to legislation.
Finally, issues with identity management are starting to pick up steam, taking
the place of intrusion detection systems (IDS). Everybody was talking about
IDS a few months ago, but I think most people have decided on whether they want
it or not, and are now moving on.
Identity management seems to be the big thing right now, from fundamental issues
like single sign-on to broader issues like certification.
This article first appeared in Asia Computer Weekly
|
