Put your trust in people

Stuart Okin: Security and trustworthy computing are as much about skills and training as technology, says Microsoft UK's chief security officer

According to research company IDC, security hardware and software expenditure in Europe will reach $6.2bn in 2005, with e-business a key driver. This is as it should be. After all, if e-business and Web services built on open standards are to fulfil their potential, they must be based on trustworthy computing solutions that inspire confidence in users. Web services in particular are built on openness, which itself is built on trust. This does not imply blind faith and nor does the development of Web services built on open standards. Trust is built through assessment, auditing and accreditation. All these things provide users with independent endorsement of a service and 'proof' of its trustworthiness. People and skills
So it is great that businesses are focused on securing their systems, and putting in place the right technology is certainly a step in the right direction. But it is only part of the solution. In the end, trust is not something that can be bought and security is an issue that goes beyond technology. To a large extent, security is about people and they way they use technology. It is about ensuring that developers build security into every feature, administrators set up and use systems with security as a priority and users understand the security implications of their actions. It comes down to skills and experience. Once businesses have invested in technology, whether it is specialist security technology or not, they must invest in skills and training. Everyone from developers and IT staff to business users must be equipped with the skills they need in order to approach technology solutions with security front of mind, and this is all about forward planning. It's all very well having the best security processes in place, but without the right training loopholes will appear. For example, implementing proper security precautions such as well thought out passwords and usernames is important, but if users leave their machines unlocked while at lunch, well that's not very secure. Think ahead
It is very rare for a business to develop any kind of technology solution without going through a detailed planning and testing process. This is especially true for e-business and Web services built on open standards solutions. However, if businesses are to build trustworthy solutions they must make security and skills a central element of solutions planning, in terms of both development and management. There is a good reason for this. There simply are not enough skilled IT professionals to go around, and the problem is particularly acute when it comes to security skills. IDC says that the networking skills shortage will leave European businesses 500,000 workers short by 2004. Meanwhile, end user organisations are suffering from a 50-60 percent shortage of security skills. The implication for IT directors is clear. If businesses fail to maintain the skills of all their staff, with a particular focus on security, there is no guarantee that they will be able to bring in experts when they are needed. Quite simply, if IT directors ignore the role of skills in security and the importance of skills development within the organisation, they are putting the business on the line. After all, there are no second chances, especially in e-business and Web services built on open standards. If organisations lose the trust of their customers it is very difficult, if not impossible, to rebuild. Skill up
The message is clear. When it comes to security, skills are critical. Businesses must always be looking ahead, to make sure that their people are equipped to deal with new threats as they happen. So what training is important? Of course, specialised security training is always going to be vital, but more general training is just as important. Trustworthy computing demands that every aspect of a solution is secure, so it is important to ensure that developers and users are up to speed with the security features of all the relevant technologies. For instance, Microsoft software and solutions, from .Net Servers to Microsoft Windows XP, include an array of advanced security features, so it pays to make sure that developers and users make full use of them. At the same time, we are putting security at the heart of many of our training courses, as a direct result of our ongoing focus on trustworthy computing. In particular, all Microsoft .Net technology and XML .Net Services training courses have a clear emphasis on security. They are designed to ensure that delegates leave with a clear understanding of the importance of security in these technologies, and the techniques they can employ to keep their systems secure. Be ready
The shortage of skills IT staff and the growth of Web services built on open standards bring the role of skills in security into sharp focus. In the scramble to exploit the business opportunities presented by Web services built on open standards, businesses should not fail to do the groundwork. IT directors must give even more attention to skills development and training if they are to develop genuinely trustworthy computing solutions that deliver return on investment for the business and peace of mind for customers.


For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section. Let the editors know what you think in the Mailroom.