Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
A panel of security experts has offered differing perspectives on how best to address IT security risks within an organisation.
Representatives of Qantas and Woolworths believed that a risk-aware culture among management and staff would drive a strong internal IT security strategy.
"People are our greatest asset and they are also our greatest risk," said Qantas' security and building technologies manager Graham Joffe (pictured, right).
Joffe told attendees of CeBIT Australia's IT security conference in Sydney to lead by example and consider whether their behaviour enforced security concerns, standards compliance or mandatory behaviour.
When designing risk assessments, Joffe said IT staff needed to understand business objectives and should focus on the value of security - and not on "doomsday talk" - to secure funding.
Woolworths risk manager Peter Cooper said the retail giant used publicised outages like those at Virgin Blue and the National Australia Bank to illustrate risks.
"You pick something out of the press that people relate to," he suggested. "We try and stay topical, we try and get out and about an awful lot."
Cooper placed great importance in communication and training initiatives for Woolworth's 180,000 staff.
But Richard Stiennon, founder of US research firm IT-Harvest, preferred to rely on technology instead of people.
"Security awareness doesn't stay ... training is not going to last and you'd have to do it continuously," he said, calling for the implementation of "stronger systems" instead.
Stiennon highlighted social engineering as one security risk that may be more effectively mitigated by alternative processes and technologies than by staff training.
At US security conference DEFCON in August, a representative of Australian consultancy Securus Global was able to elicit enough information from a call centre operator to "wreak havoc" on a Fortune 500 company's systems.
Stiennon suggested that an organisation in which passwords were easily obtainable from a receptionist may be better served with alternate, non-password authentication systems.
"You can't train everyone not to succumb for social engineering," he said. "Find a technological solution that avoids the social engineering."
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.