- Bank Web sites full of security holes
- SCO Group: Its future is all used up
- Maligned feature being added to IPv6
- I returned my iPhone 3G after six days!
- VPNs: Six burning questions
News | Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:App Performance | On Demand Security | Networking Solution | SOA | Value of WDS
Security has to evolve into something that supports business, rather than the other way around, according to Lisa R. Young, senior member of the technical staff at Carnegie Mellon University's Computer Emergency Response Team.
Security has gotten a bad rap in today's enterprises, said Young, in Stockholm to speak at the European Computer Audit, Control and Security Conference.
The tendency is to want to start locking things down, so security is something that disables, not enables, business, according to Young.
It's still an area where boxes and technology rule, she said.
"Solving your security problems by buying another box is just wishful thinking. But security is bigger than that," Young said.
"As security managers it's up to us to elevate the profession, and include both people, processes, not just technology," she said.
Today, security processes are often not mapped to business processes
"People just haven't thought of security as a discipline that can be measured, managed and mapped. It's a new way of looking at it," Young said.
Security requirements have to spring from business-process needs, she stressed. "Requirements should be driven by owners of business processes, not the caretakers of technology," Young said.
For companies that learn to evolve, rewards are plentiful.
To simplify efforts to make changes to security strategy, Young's development team at CERT has developed the Resiliency Engineering Framework (REF), which was launched last year.
It doesn't compete with other frameworks, such as ITIL. REF identifies enterprisewide processes for managing operational resiliency -- including everything from training to compliance management -- and provides a structure from which an organization can start to improve.
"You can reduce cost, eliminate duplicate efforts and improve compliance efforts, for example," Young said.
Rss FeedRss Feed
14 years ago, I dealt with somebody like Childs. I was the new manager and the veteran techie knew it...- Anonymous
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask to prospective vendors to get the right endpoint solution.
Download the white paper.
Unauthorized applications: Taking back control
Employees installing and using unauthorized applications like IM, VoIP, games and peer-to-peer file-sharing applications cause many businesses serious concern. How do you control these applications?
Download the white paper.
Comments (1)
SecurityBy Anonymous on March 11, 2008, 8:45 amExcellent description of how security in all aspects should be handled. Our company works with paper documents attacked by counterfeiting and the same tactic holds...
Reply | Read entire comment
View all comments