GovHK |
Publications and Press Releases > Speeches and Presentations
Opening Remarks by Mr. Stephen Mak, Deputy Government Chief Information Officer, at the InfoSecurity Summit 2009
6 May 2009
Distinguished Speakers, Ladies and Gentlemen,
Good morning! I am honoured to welcome you all to this InfoSecurity Summit 2009.
The theme of today is “The Future of Security - The Strategy of Now”. Over the weekend, I was mulling over what to talk about on this topic, and it dawned on me that one can really read a lot into these few simple words. I started doodling a few combinations, all of which I find plausible and inspiring. For example, “Your Future Now Depends on Your Security Strategy”, or “By Now Security Affects All Your Future Strategies”, or a more down to earth one, as I suspect the organizers have in mind, “If You Don’t Have a Security Strategy By Now, You Don’t Have a Future”. In fact, this last one prompted me to search the Internet and found that the term “Information Security” has yielded more than 170 million references. Likewise the term “Identity Theft” resulted in another 62 million. All these provided the cues for me to come up with three main points that I would like to share with you to start off the Summit today.
First, why do we care about having an information security strategy?
There is a whole range of well-researched materials that cover this question comprehensively, from governments to policy makers, to leaders of businesses, practitioners and general users, and I will not attempt to repeat them here. But I would like to highlight a few observations that may be relevant to our programme today. Over the past 20 to 30 years, changes in technologies, industry landscape, market dynamics, innovations in usage and user behaviours have meant that information security, or more specifically information security risks, have taken on new manifestations and call for very different approaches to averting them. Borrowing the OSI 7-Layer Architecture Model, security risks have alternated between the Transport Layer all the way up to the Application Layer and back, and there seems no stopping. Today, just about any electronic business proposal will be met with questions like “Is it safe?” and “Who is responsible for the security and checks and balances?” The technical and procedural complexities in ensuring authenticity, confidentiality, integrity and non-repudiation in electronic payments, sharing of health data, personal data privacy are not difficult to visualize. As if these are not enough, the industry and technology innovators have been trying their best to provide ‘solutions’ to address one or more of the security issues based intuitively on the OSI 7-Layer Model and the TCP/IP equivalents. I therefore submit that we need a robust information security strategy that can address and mitigate all relevant risks while at the same time provide support for the business objectives – one that is adaptable and can survive the evolving security challenges and technology changes. As I look at the programme of today, I notice some rich content and panel discussion topics being lined up, such as Redefining Information Security, Best Practices in Information Protection, and Risk Management.
Second, we will benefit from having or adopting relevant Standards and ensuring Interoperability.
Information security requires the prudent use of technologies, management of business processes, and good practices of the people handling the information. With the fast advancement of technologies and the wider use of the Internet for communications and in business, information security has become one of the key management issues in any organization nowadays in view of the associated security threats that also grow at a similar pace. This is backed by statistics reported by the Information Commissioner’s Office (ICO) in the UK in February this year that "Data breaches jumped by 36 per cent last year. Personal information is now lost - on average - more than once a day."
Information security is more than just the technical issues. It is an integral part of the business process and management practice in the organization. Top management is responsible for establishing and overseeing implementation of the security policies to protect valuable information assets.
Earlier, I mentioned the changes in combinations of hardware, software and solution architectures over the past few decades as a result of innovation and market changes. One of the unintended effects of these changes is that the notion of information security, and responsibility for it, has shuttled among different players in the whole value chain. Unfortunately, in the process, some security considerations or implementations may be lost, incompatible, or simply ignored from one generation of solutions to another. While ‘back-doors’ and ‘patches’ were meant for systems programmers in the past, today we expect the average lay user to be up-to-date with just about all the major vulnerabilities to make sure their systems and data stay intact. Put it another way, the amount of technologies and technical intricacies being managed in a highly configured home network nowadays would be no less complicated than a typical data centre just a few decades ago.
With the growing use of distributed systems and the Internet, people’s attention has been extended to address new exposures by implementing firewalls or identity management mechanisms to protect internal networks from external threats, e.g. unauthorized access to sensitive corporate databases. However, if the security strategy remains mainly a reactive protection approach or if risk assessment and business continuity planning are not taken seriously, those organizations may have to pay dearly in order to recover from the security incidents.
Nowadays, there are fast growing data breaches due to unauthorised access and improper uses. Many of these problems can be prevented and detected, to a large extent if an appropriate security strategy is in place with the support of the relevant technologies.
As we speak, the industry is pursuing yet another major change that may have even wider major implications on the landscape and market dynamics as experienced by the typical user or organization. The promise of “Cloud Computing” literally cuts across all layers of the OSI Model and causes a rethink, or at least a repositioning, of all relevant information security considerations and implementations. This change, when overlaid onto industry-specific governance and compliance requirements and standards such as Payment Card Industry (PCI), HL7 and Electronic Health Record sharing and Electronic Business Reporting standards, will give rise to new challenges for both the industry and users.
I therefore submit that Standards and their compliance, and Interoperability among systems, subsystems, and commercial off-the-shelf services are critically important to information security strategies for now and the future. Needless to say, these in turn call for serious considerations on protection of investments, cost of compliance and usability. I am pleased to observe again that today’s programme covers topics on compliance, health record sharing infrastructure and interoperabililty pretty comprehensively.
My third and last point relates to Sustainability of our Information Security Strategy.
Hong Kong can pride itself in being one of the leading economies to have put in place the legal framework to support secure, electronic transactions. We have also made an early effort in establishing a Public Key Infrastructure, including the Voluntary Scheme for Recognized Certification Authorities, to facilitate secure electronic business between citizens and enterprises with the Government, and among the general community. We have explicit legislation to protect the privacy of personal data, and guard against the misuse of unsolicited electronic messages. All these, together with other existing legislation applicable to computer-related crime, will continue to provide a good basis for us to develop and enhance our information security strategies.
To formulate and sustain an effective security strategy, an organization has to conduct security risk assessment and privacy impact assessment to identify the relevant security risks and determine the corresponding security policies, measures and controls to deal with them. Within the HKSAR government, we have made these as standard requirements for any major or mission critical e-business initiative. In the specific area of authentication, we have also implemented an Electronic Authentication Framework for bureaux and departments to assist them in determining appropriate and customer-friendly approaches to identity management, authentication and the need for encryption. The framework and relevant guidelines are also available from our website for public reference.
While I will not try to give a tutorial on how to make a good information security strategy, I can share five salient points with you about building information security strategies-
1 - Recognizing that security is not generic
Some information systems and assets are more critical and valuable than others and resources should be expended to protect them according to their levels of importance.
2 - Taking an information lifecycle approach to data protection
The strategy should be able to protect data in a comprehensive way. The focus should be on the process of managing the data lifecycle, starting from classification and ending with disposal. Data disposal is one area which many organizations often neglect or downplay its importance.
I give you an example. In May 2008, an Oklahoma City citizen bought a used server at an auction and discovered more than 5,000 Social Security numbers and related personal data stored on the server. Apparently, the data had not been erased before disposal. The question is, in a cloud computing environment, will secure erasure of data be a new angle to be considered in the strategy?
3 - Accepting changing technology paradigms while guarding privacy and confidentiality
Security measures should be adaptable to the changing technological and economic environments. Social networks, blogs, and other Web 2.0+ technologies such as wikis are great for collaboration, communication and connecting with others, but they also induce risks to data privacy. While organsations embrace Web 2.0 into their business processes, they should adapt their security strategy in accordance with the associated risks.
4 - Focusing most resources on prevention
The security strategy should cater for the prevention, detection, response and recovery of the information systems and assets. Prevention is the first line of defense and in most cases the most cost-effective approach.
5 - Providing security awareness and training to all users
A security strategy relies on people to implement and support. Hence, there should be adequate provision for user security awareness and training so as to equip them in fulfilling their roles in information security. It is crucial that all staff have the right mindset and adopt a working culture that respects data protection in order to face the ever-changing security challenges.
Ladies and gentlemen, I’m sure you are eager to get on with the rich programme lined up for you. Before I close, I should just like to share two quotations with you, and they are both by Bruce Schneier, a guru on information security and expert cryptographer. He said –
"If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology."
The mantra of any good security engineer is: 'Security is a not a product, but a process.' It's more than designing strong cryptography into a system; it's designing the entire system such that all security measures, including cryptography, work together.
I would like to congratulate the organizers for having assembled such a distinguished line-up of speakers and panelists, and wish you all a very fruitful event. For our overseas speakers and participants, I wish you a safe and enjoyable stay in Hong Kong.
Thank you.
- ENDS -
2003 © | Important notices | Privacy Policy | Last review date : 30 September 2009
End of page