- 18 Hot IT Certifications for 2014
- CIOs Opting for IT Contractors Over Hiring Full-Time Staff
- 12 Best Free iOS 7 Holiday Shopping Apps
- For CMOs Big Data Can Lead to Big Profits
CSO - I recently chaired a panel on cyberthreats for a local business council. I had great panelists giving details on very sophisticated attacks found in the results of their company's threat reports, along with words from NIST on the security framework effort triggered by President Obama's Executive Order. Advanced persistent threats (APTs) and the Executive Order were dominating the headlines but when I opened it up for questions, most of the audience questions were not about the threats discussed, they were along the lines of "OK, that's nice -- but what solutions have you seen that worked against these things, and how do we convince management they need to fund us to do something?"
What struck me was that the audience had a very CEO-like response. While the security community continually clings to the belief that management just doesn't understand cyber threats or risk. The reality is that most CEOs have been bombarded with apocalyptic cyberthreat reports from business and mainstream media -- and from their own security teams. Most really do weigh those risks, using the same formal or informal thinking they use to judge the risk of investing in a new product, or doing a merger or acquisition. The real leaps forward in business are not made by convincing management about threats or risk, they are made by showing them solutions to the problems that are less disruptive and less expensive to the business than doing nothing.
Don't worry, I'm not going to head down the "return on investment" rat-hole. If you look at the reality of how CEOs or venture capitalists make investment decisions, you find that most of them realize ROI or future sales/revenue projections are about as accurate as weather forecasts -- slightly better than flipping a coin. Successful business leaders usually make their decisions based on the quality and track record of the team that will run the business, and their judgment on opportunity costs -- if I spend the money here, how will that disrupt my business by depriving funding from some other area of business or investment.
That captures where we are today in security; we don't need to keep flogging the threat, we need to be able to demonstrate solutions that work, that don't disrupt the business, and don't simply propose to keep smashing into the same walls, just wearing more padding in the future. To a CEO, slowing down business so it hurts less when bad things happen is riskier than doing nothing. What is needed from security is less "It hurts when we do this" and more "Instead of doing this, we are going to do that."
BYOD solutions that propose "back to the mainframe" approaches like making users use dumb terminal apps or total lockdown on their smartphones or tablets.
The US Government trying to force government employees to use Smart Cards (remember those?) for authentication on mobile devices