TORONTO — IT middlemen have to demand more from their users and the vendors that supply their products in order to get a handle on security issues, according to the Bank of Montreal’s chief information security officer.
Robert Garigue spoke recently about the challenges of keeping up with security,
along with representatives from Microsoft Canada and McAfee Canada at a security forum held here.
The problem, he said, is one of communication as much as it is of troubleshooting security flaws and managing patches.
“”It’s really a change of lifestyle,”” he said. “”It’s a literacy issue. Do you need to have a driver’s licence to own a PC? Are we going to get to that in the next generation?””
Garigue said that BMO doesn’t use the term PC (as in personal computers), preferring “”corporate computers”” to stress that the machines employees use are the property of the bank and are to be used sensibly.
It’s a matter of communicating that to users and inculcating the importance of security protocols, he said. He described the relationship between corporation and user as a “”social contract”” — one where the expectation is responsible use of technology at all levels. “”From the consumer to the mainframe, there has to be an alignment of trust mechanisms,”” he said.
He likened it to the PIN number associated with a bank card. It’s understood that the number is important and that it’s the user’s job to protect it.
The difficulty remains, however, in effectively getting this message out because you can’t have the techies, “”the geeks in the basement,”” talking to users because they aren’t effective communicators, Garigue said.
But accountability also flows up to the vendors that supply the products in the first place.
According to Jack Sebbag, general manager of McAfee Canada, there were 29 high- to medium-risk viruses recognized in 2002-2003. In the first seven months of this year, there were 39.
“”The forecast of the second half of this year is that this will continue,”” said Sebbag.
John Weigelt, Microsoft Canada’s chief security advisor, likened the problem to “”an escalating arms race. The trick is to try to change the rules of the game.””
One of those is to recognize patterns in various viruses, worms and trojans and develop fixes for them before they are allowed to proliferate.
McAfee has a division called the Anti-virus Emergency Response Team (AVERT) that has been in existence for years, while Microsoft’s initiative, Trustworthy Computing, was born in 2002.
Microsoft has attempted to respond to security threats, but hasn’t always been successful in delivering those responses to users. The problem, said Carol Terentiak, security strategy and response manager for Microsoft Canada, is often one of communication.
“”With (the Blaster virus), we had the patch in place, but nobody knew about it,”” she said, adding that Microsoft has since made efforts to improve communication with its users.