BMO's Marson: Information Security Demands Processes As Well As Tools

"In the security space, there are tons of different vendors and it really is not about implementing a tool," Marson said. "You can have a tool that will essentially do anything ─ but what I'd like to propose is that it's not about the tool; it's about the associated processes involved with that tool. For example, it's no good to identify vulnerabilities on your systems if you have no method with which to remediate those vulnerabilities. You need to have people looking at those vulnerabilities, going out there and fixing them." The tools, in other words, can only do so much.

Marson said that a firm can go out and buy the very best-of-breed security tool for anti-virus protection or security-log management, but if the processes around information security are bespoke and unclear, that tool will not be used properly.

Users, Marson contended, have to gain a better understanding as to what the tools they are purchasing actually do. They need to think about the processes around how they're going to use that tool, and need to think about how that tool can mature.

The toughest aspect of information security (IS) is proactively identifying the emerging areas that will require attention. Because the audience in Toronto was largely comprised of people in IT ─ and not necessarily security professionals like Marson ─ he said that IT should look to work closely with the security professionals at their firms, because these professionals tend to be a tight-knit bunch

"Information security professionals are very close because our firms don't compete on security, so we talk to one another. You should ask your security professionals what they're concerned about," he said.

Information security professionals are very close because our firms don't compete on security, so we talk to one another. You should ask your security professionals what they're concerned about.

Marson said that it's key to first define your IS capabilities and then apply specific processes to all component of the firm's infrastructure, developing them to stretch across the various tiers and components of the organization.

"When you think about it this way, you can look at security in a different way. You can start to look at how you apply your IS capabilities across all your different tiers; this way you can pick a single capability and see how you're protected across all your different levels," he said. "Or, you can look at it the other way ─ you can take an individual component and figure out how you apply all your different security capabilities to that particular component.

"One of the fundamentals of information security is defense and depth-layered security," he continued. "By looking at it this way you can look at all the different protections you have in place for individual components and how those things might work together."

Finally, Marson said that these processes and tools ─ these capabilities ─ need to be able to mature over time as risk threats change and evolve.

"It's very important to not only develop your IS capabilities and deploy them everywhere, but also mature them onto your riskiest systems," he said.