Top security pros talk about what's really worrying them
Dear Vorticians,
A couple of weeks back, I had the pleasure of moderating a roundtable discussion among chief information security officers (CISO) that was organized by the Institute for Information Infrastructure Protection (I3P), which is a consortium of universities, research labs and other organizations working toward securing the nation's info infrastructure, as you may have guessed from the name. These CISOs, representing many of the country's biggest manufacturers, retailers and financial institutions, among other industry segments, were an engaged and engaging lot, giving me more to think about that day than I've learned in quite some time. (I can't reveal the names of the participants, for some obvious reasons.)
Perhaps the most important thing that I learned is that we in the media - and I think probably too many folks in the security business - talk too much about specific threats, such as the latest worms and viruses, and too little about the organization, financial, political and human issues that shape the security landscape today. This group spent virtually no time discussing the latest attack or worm, but rather laid out a complex set of challenges with which they are wrestling and need more help.
Among those challenges, in no particular order:
* Embracing a risk-centric approach to security - which means, how do we get better at real risk assessment? What should we be protecting? How is it threatened (not just by viruses but by geopolitical problems, employee behavior, etc.) and how do we then determine appropriate investment levels?
* How do we go beyond being reactive to adopt a proactive security stance? How can we build our systems and defenses so that they withstand even unknown attacks?
* How do we deal with tight funding and how do we "sell" the value of security to senior management? Many shops have seen reductions in overall IT spending which, no surprise, squeezes overall security spending.
* What is the right organizational structure for a secure organization? Almost all of the companies represented had changed security structures in past year and they expect to morph again as regulations and laws force changes in their work, and as the threat landscape changes. Most of these CISOs now report to CIOs, which they feel is a positive change (as opposed to reporting to infrastructure teams).
* Regulation and legal developments are a nightmare. Most feel that the efforts that are being undertaken at the state and the federal level are fundamentally flawed. They cause these businesses huge amounts of work while providing little new security. How do they get better as companies, as industry sectors and across the board at influencing legislation and regulation before it is too late?
* How do they create a culture of security that cuts from senior management on down through the company? What training, policies and penalties need to be implemented? According to the folks in the room, middle management seems to be the hardest to deal with. It's most difficult to get attention from these executives and to win any commitment to supporting security initiatives.
* Mobile devices. Companies are being flooded with increasingly intelligent mobile devices and they need to manage and control them better.
* There was tremendous concern about the loss of intellectual property through such things as the increased use of mobile devices, inter-enterprise dealings with business partners and outsourcing, among other things. These leaders are struggling to assess what knowledge and information is flowing out the door.
* Metrics. What are other people spending? What should you be measuring in your company to know whether you are really secure?
* Hiring challenges. There was real angst about not being able to find security skills, particularly people with any sense of business whatsoever. This was an across-the-board, deep concern.
* Not nearly enough investment on internal security. Too many of our security resources are focused on preventing intruders from getting in, but many of the real threats are already within and doing lots of damage.
Quite a plateful of worries, no? As you can imagine, one thing that was not a great concern was job security. These folks will be very busy for a very long time.
That's it for now. Thanks for reading.
Back to Vortex Blog
Comments
Post a comment
