David Bauer, first vice president and chief information security and privacy officer at Merrill Lynch, gave his audience a historical perspective on the evolution of IT security, starting with the Morris worm attack of 1988. That attack took the Internet by surprise, he said. There were no tools to fight back and no source of reliable information. Responses were uncoordinated, and the result was "complete havoc," Bauer said. He contrasted that with the Mydoom attack last month, when Merrill Lynch combined good tools with a coordinated and carefully planned response to understand and contain the threat after just one infection. That attack, he said, was "just another event." . . .
In IT security, emotional reactions, panic and legislation are counterproductive. But intelligent risk management can enable organizations to face an uncertain future optimistically.

That was the message from Merrill Lynch & Co.'s security chief to attendees at Computerworld's Premier 100 IT Leaders Conference here yesterday.

David Bauer, first vice president and chief information security and privacy officer at Merrill Lynch, gave his audience a historical perspective on the evolution of IT security, starting with the Morris worm attack of 1988. That attack took the Internet by surprise, he said. There were no tools to fight back and no source of reliable information. Responses were uncoordinated, and the result was "complete havoc," Bauer said.

He contrasted that with the Mydoom attack last month, when Merrill Lynch combined good tools with a coordinated and carefully planned response to understand and contain the threat after just one infection. That attack, he said, was "just another event."

"The difference between then and now is tremendous," Bauer said, "and preparation is the key." Preparation requires a focus on risk management, intelligence-driven prevention and response, security at the data-object level and a focus on both the corporation and the individual consumer of technology.

"It's easy to get somebody's password, so make the damage that can be done by an individual as small as possible," he said.

Bauer also suggested that, since IT security is fundamentally a technology problem, it should be handled within the IT operation.

Merrill Lynch's IT security strategy is built around strong organization; threat management, including intelligence, planning and instant response; comprehensive security services; attention to public policy, including active attempts to educate legislators; and agile response to the changing risk environment, he said.

A key component of that strategy is dynamic risk assessment. Using tools such as scanners, log analysis, risk metrics and asset inventory, Merrill Lynch's security group produces a biweekly security brief analyzing and prioritizing current threats. "That allows us to go from a circle-the-wagons approach to intelligent risk management," Bauer said.

The link for this article located at ComputerWorld is no longer available.