Are security pros worrying about the right stuff?

Worms are scary, but experts say personnel issues should get more attention

This is the first in a series of stories that will be addressed at the Security Standard event scheduled for Sept. 10-11 in Chicago.

“As a rule, men worry more about what they can’t see than what they can."
Julius Caesar

“Security decisions are almost never made for security reasons"
Bruce Schneier

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

This is the first in a series of stories that will be addressed at the Security Standard event scheduled for Sept. 10-11 in Chicago.

“As a rule, men worry more about what they can’t see than what they can."
Julius Caesar

“Security decisions are almost never made for security reasons"
Bruce Schneier

Worrying almost seems to define the job of the CSO and CISO. The security chief is the corporate standard bearer for risk management in a world fraught with technical and human error, with hackers potentially lurking within and without.

Slideshow: A summary of the latest research on security management structures, buying trends and more

When asked what they worry about, CSOs and CISOs cite regulatory compliance and security controls overlooked in IT projects. Some acknowledge a general angst that simply boils down to the great unknown of system-wide chaos.

But are security pros worrying about the right things? When asked this, many independent observers — former CSOs or consultants working with CSOs — offer a different perspective. They think security pros need to worry more about retaining the best staff and should be careful not to become too consumed with regulatory compliance.

What has security pros worried?

Michael Barrett, CISO at eBay money-transfer service PayPal, says there is always an undercurrent of panic in the event that something blows up. “Most data centers are held together by sheer heroic effort," he says.

When Microsoft discloses software vulnerabilities, as it typically does every first Tuesday of the month, “We’re scurrying about to get patched, and I worry: What will the bad guys do before we patch everything?" Barrett notes.

Because PayPal is a global company, Barrett says he worries whether the company has the right interpretation on legislation and regulation related to data privacy around the world and the right controls in place.

His long-range concerns have him asking questions such as: In terms of stopping criminals and attackers, do we have the right investment mix and the right set of projects? Are new threats coming up that we need to re-balance that portfolio?

On occasion, Barrett’s concern is like an existential philosophy for preempting potential catastrophes. “What are we going to be worried about if we don’t worry about it?" he notes.

Such worries abound. Adam Hansen, the IT security chief at Sonnenschein Nath & Rosenthal in Chicago, says his main worry is data privacy and the possibility of a data breach.

“I may see something that makes me uneasy," Hansen says. “Or others may come and question me and say, 'let’s look into it.’" When that occurs, Hansen will seek out the corporation’s legal counsel for expert advice before any kind of inquiry. This kind of worry is “part of the security culture," Hansen adds.

At motion-picture processing and games-manufacturing studio Technicolor in Camarillo, Calif., whose clients include DreamWorks SKG, Sony Pictures Entertainment and Paramount, the top worry is attackers who might steal the entertainment content.