IT Security: Solutions or snakeoil? (22 April 2008)

Security has secrecy, special practices and know-how wired into its make-up so how do we know that the people proposing security solutions and purporting to be experts in the subject know what they are doing? Who sets the security rules for new regulations like Sarbanes Oxley (SOX) Would you fly in an aircraft with avionics that had been security reviewed by someone who had learnt about IT security from a book? Would ‘Information Security for Dummies’ allow you to bluff your way through job interviews and pass multiple-choice security examinations? Isn’t security engineering just common-sense and should be treated as just an attribute of mainstream IT? Shouldn’t we stop dividing up the IT industry into specialist sub-domains, or is security special in some way? Getting security right has certainly become a significant issue, with the very infrastructure of countries dependent on IT security. So what does make a good security professional, and how can you separate them from those who would just sell you snake oil?

Dr Paul Dorey

Paul Dorey has been working in IT security for 20 years and has had the advantage of seeing many security threats emerge in their infancy. 20 years was before we saw virus issues, before the Internet and firewalls, before true PC security. He is currently Chief Information Security Officer with BP PLC, where he is functional head of all aspects of IT security, including process plant systems and information protection and privacy in the oil & gas company. He was selected as Chairman of the new Institute of Information Security Professionals (IISP) and also sits on the Permanent Stakeholders Group of the European Network Information Security Agency (ENISA). He was also a Founder of the Jericho Forum. In his security role he has done security consultancy for governments and worked for energy utilities and major financial services companies, being the first Operational Risk Director for Barclays PLC.