New risks, roles for security professionals

We may be coming out of the downturn, but in many industries -- such as information technology, travel and manufacturing -- every dollar of revenue and expense is crucial and will be for some time. That means that more than ever, security managers need to think like business people.

I've recently come across two examples of this new thinking. The first is the use of access control software not only to protect data, but also to make sure new employees have phones, computers and security badges their first day on the job. The second is the need to learn not only about the mechanics of Web-based security, but also to identify the movers and shakers who set the key security standards in your industry.

Example one comes from Mike Hager, vice president of network and disaster recovery at Oppenheimer Funds. I was asking him which tools he used to "provision" his users with the proper access rights to corporate data. But Mike was thinking about wider issues. Just as a vice president and an accounts payable clerk get access to different types of corporate data, he figured, they also get different types of phone service, computers or other gear such as cell phones. The common link: Both their access rights and the physical gear they were issued depended on their responsibilities and job title. Why not combine the "provisioning" of access rights with the "provisioning" of phones and security badges?

Hager is using the provisioning agents in enRole from Access 360 to not only grant new employees the proper access to applications and systems, but also to alert the IT support and telecom staffs about the new employee's needs. Right now, the automation is fairly low-level, in that Access 360 can only fire off an e-mail to the telecom manager rather than automatically reprogram the PBX to issue the new employee an extension. But Hager hopes to further automate the process to save his employer time and money.

The second example of new thinking is about how to secure Web services, which is the emerging standards-based method for linking applications over the Web. One of the promises of Web services is it makes it easier to cut costs by giving customers, suppliers and distributors access to your production and sales forecasts. But as soon as you deploy Web services outside the firewall, you're trusting your business partners to hand out (and take back) the digital certificates that identify the sender or recipient of the message and encrypt and decrypt their messages. If you're a subcontractor designing parts for Boeing or GM, you're depending on those giant customers to confirm the identity of their users and cancel their certificates if needed.

To manage these risks, security managers must think about not only technology but also about the "trust relationships" within their industry, says Benjamin Renaud, a director within the office of the chief technology officer at BEA Systems Inc. Which business partners does your employer trust, and how much do they trust them? What legal safeguards should you build into contracts to protect you from a sloppy business partner passing you bogus certificates? And if you're a 50-person company doing business with a Fortune 500 firm, how do you force that 500-pound gorilla to agree to such indemnification?

To answer such questions, security managers must understand the strategies of key online trading networks, consortia and key suppliers and customers within their industry. Is there a dominant customer or alliance of customers whose direction you should follow because they are setting key legal or technical security standards? Are their trade groups you should join because they are drawing up key legislation or legal standards in your vertical market? Are there any changes in your relationship with key customers that would give you more, or less, leverage to protect your security interests in a Web services world?

These are the new questions, and answers that can help you as a security manager boost the bottom line even in a downturn.