iSecurity Experts: New Name, Familiar Face, Services a Priority
June 30, 2009 Dan Burger
There’s a new security company specializing in helping IBM AS/400 shops deal with their security issues, but there’s no lack of experience in the services it will provide. Many of you know the name John Earl. After 20-some years in the business, he’s one of the AS/400 (iSeries, System i, and IBM i) community’s most familiar faces. He’s a noted speaker, author, and security expert. And now he’s running his own consulting business called iSecurity Experts.
Adding his name to your contact list might be a good idea if your company has been audited or is about to be. In the age of regulatory compliance, there’s plenty of auditing going on. Those affected by Sarbanes Oxley, HIPAA, the Payment Card Industry Security Standards, and others know this as a fact. And those who are struggling to put together a solid security program that fits the requirements may need some help. Earl has been providing security advice his entire career, and he knows the ins and outs of regulatory compliance audits.
“Dealing with audits can be like going into the jungle without a guide for many companies,” Earl said last week on the phone. “If the IT staff at a company hasn’t done a bunch of security compliance work, and it goes in without a guide, it’s going to take longer and it’s going to take more money. If you go with someone who has been down the trails, it will be a much less ‘exciting’ adventure, but in this business, boredom is good thing.”
After an audit takes place, a company needs to respond. Earl says he can help a company respond quickly, efficiently, and at the lowest cost.
Two organizations that he’s working with now both went through the auditing process recently and had problems that will need attention. Earl says their first question was “how do I solve this?”
My first question to Earl was what are the ramifications of an audit that points out security issues?
“There are potential penalties, but they are not very likely,” he says. “It’s possible to fail and audit and be fined. But I haven’t seen that happen to any company, even though I wouldn’t be surprised to learn that it had.
“What is more likely to happen involves all kinds of pressure beyond fines. If you fail a Sarbanes Oxley audit, you have to put a ‘material deficiency’ report in your quarterly 10K financial statement that is filed with the U.S. Securities and Exchange Commission. It would, for instance, say that auditors have come in and noticed that the AS/400 security was screwed up. That’s not something an organization wants to have on record.”
You can see why this might get the attention of some executives who otherwise wouldn’t be paying attention to AS/400 security. Having AS/400 security as an agenda item at an executive board meeting is a pretty bright spotlight. This type of increased visibility tends to make people in the IT department a little edgy.
“I think the biggest problem with security has been getting visibility high enough in the organization to devote resources to fix problems,” Earl says. “If you look at a small to mid size company, the system manager, or the IT manager, may have been trying to solve a security problem for years, but was not getting budget approval. When that same issue hits the board, and they ask why haven’t you done it, and the answer is it costs $30,000, the board’s response is going to be ‘spend it! Get it off my plate! I don’t want this showing up in my 10K report. Solve the problem.'”
Not everyone is willing to wait until an audit has been done and the deficiencies have come to light. For those who prefer to prevent fires rather than having to put them out, iSecurity Experts offers a pre-audit service, which means Earl does some advance scouting to let the company know where it is going to have issues. He also works with the company to correct the issues before the auditors show up at the door.
Regardless of which regulatory mandate a company is wrestling with, Earl says the security framework for 90 percent of the compliance is found in two highly regarded standards: COBIT 4.1 and ISO 27002.
Creating and maintaining policies based on COBIT and ISO becomes the foundation of a secure system. Once the foundation is established, the individual requirements of specific regulatory compliance are relatively small pieces, he says.
Prior to forming the iSecurity Experts consulting firm, Earl was vice president and chief technology officer at PowerTech, a provider of security software and services for the AS/400 market. He’d been with PowerTech since 1998, when PowerTech purchased Earl’s start-up security software company called Lighthouse Software. In the early years of his career, he worked as a systems supervisor, information systems manager, and senior systems programmer. He’s had a long affiliation with the COMMON user group, and has served on that organization’s board of directors.
You can find out more about iSecurity Experts on its fledgling Web site yet, or you can contact Earl via e-mail at firstname.lastname@example.org or by phone at 206-669-3336. For those associated with the LinkedIn professional networking Web site, you’ll find John Earl and iSecurity Experts there, as well.