Risk
4/12/2007
06:20 PM
Connect Directly
RSS
E-Mail
50%
50%

7 Security Myths Busted

In the coming weeks, expect to see several stories in InformationWeek and at InformationWeek.com that explain and analyze the role that a chief information security officer has come to play within companies. This coverage will include profiles of some of the industry's leading security chiefs who share their experiences, expertise, and frustrations while protecting corporate and customer data in an increasingly

In the coming weeks, expect to see several stories in InformationWeek and at InformationWeek.com that explain and analyze the role that a chief information security officer has come to play within companies. This coverage will include profiles of some of the industry's leading security chiefs who share their experiences, expertise, and frustrations while protecting corporate and customer data in an increasingly hostile environment. For now, let's clear up some of the misconceptions that have evolved around security and the role of CISO.For the sake of simplicity (in this blog, anyway), I use "CISO" to mean director of information security, chief information protection officer, and any other professional whose primary responsibilities are developing and implementing a security strategy to protect their company's data, networks, and systems from attacks (both internal and external) that can result in the loss of data, outages, and/or regulatory violations. You know who you are.

1) Chief information security officers are glorified auditors or risk managers. Yeah, so what's your point? True, CISOs are often charged with helping their companies comply with various government and industry regulations (HIPAA, SOX, PCI, etc.) that could end up costing hundreds of thousands of dollars in fines if those regs are violated. And one of the CISO's greatest responsibilities is making sure their companies aren't placing themselves at risk of having employee or customer data spilled onto the Web's black market for personal information, whether from malicious cyber attacks, lost/stolen laptops laden with company data, or insiders who exceed their access privileges. If that's not enough, some security chiefs sit on their companies' IT employment diversity councils (such as Cigna's Craig Shumard) or work with industry boards such as the Data Link Security Subcommittee to help design the next generation of aircraft (as Continental's Andre Gold does).

To properly manage all of the responsibilities of a CISO, both within a company and in dealing with regulators and customers, "you have to have a slight case of ADHD (Attention Deficit Hyperactivity Disorder)," says Michael Barrett, PayPal's chief information security officer.

2) It's all about the technology. Not necessarily. "We have a paper shredding policy, but an individual can circumvent that by bringing home a piece of paper and throwing it away in their trash," Cigna's Shumard says. "There's no technology to that." Half of Cigna's information protection policies don't address technology controls because the information isn't digital. That's where security awareness among employees comes into play. "We're only as strong as our weakest link, and the weakest link is the person who doesn't know what they're doing," he adds.

Says PayPal's Barrett, "Eighty percent of the effect is in fact psychological. You tell people that you're monitoring even before you implement the technology."

3) Security spending is a bottomless pit because CISOs are chasing a goal that they can never reach. Don't equate strong security with emerging and often complicated technologies, network access control being one that comes to mind. "Good security doesn't necessarily cost more money," Cigna's Shumard says. "Maintaining good health on your desktops is just plain cost effective and it provides good security."

Of course, it's unrealistic to think that any CISO can drive their company's level of risk to zero. Instead, PayPal's Barrett says, a CISO must know how to identify risks and prioritize resources. "And you have to be able to revise the plan as you go along," he adds.

4) Endpoint security should be every company's top priority. A priority, sure, especially given all of the high-profile laptop thefts that have cost organizations lots of money and caused much embarrassment. But today's security concerns shouldn't obscure preparation for new threats. "The browser is really the way people experience the Internet," says Mozilla's chief security something-or-other Window Snyder (I'm not making that up; that's her real title). "It's an incredibly powerful vehicle for changing the way people interact with information, but it's also a primary vector for attack."

5) Vendors will lead the way in mitigating security threats through innovative new products. Let's fix the problems that exist today before we introduce new ones. "I don't encourage vendors to be more innovative, I encourage them to recognize that when a building is crumbling, you don't build scaffolding around that building to prop it up," says AT&T senior VP and chief security officer Ed Amoroso. "You figure out why the building is crumbling." Companies don't need more innovation, "we need more sanity to recognize that we've got vulnerabilities in our software and systems that are so complicated that you have no clue how people get in or don't get in," he adds.

6) The threat landscape changes too quickly to keep up. Hogwash, says PayPal's Barrett. "People could see phishing coming, but they seemed surprised anyway. If you do your crystal ball gazing appropriately, things won't sneak up on you," he says.

7) Every company needs a CISO. Not necessarily. "Organizations first and foremost have to be serious about information risk management before elevating security to the role where you have a CISO or director of information security," Continental's Gold says.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5701
Published: 2014-10-20
Multiple SQL injection vulnerabilities in dotProject before 2.1.7 allow remote authenticated administrators to execute arbitrary SQL commands via the (1) search_string or (2) where parameter in a contacts action, (3) dept_id parameter in a departments action, (4) project_id[] parameter in a project ...

CVE-2012-5865
Published: 2014-10-20
SQL injection vulnerability in dispatch.php in Achievo 1.4.5 allows remote authenticated users to execute arbitrary SQL commands via the activityid parameter in a stats action.

CVE-2012-5866
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in include.php in Achievo 1.4.5 allows remote attackers to inject arbitrary web script or HTML via the field parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.