06:20 PM

7 Security Myths Busted

In the coming weeks, expect to see several stories in InformationWeek and at InformationWeek.com that explain and analyze the role that a chief information security officer has come to play within companies. This coverage will include profiles of some of the industry's leading security chiefs who share their experiences, expertise, and frustrations while protecting corporate and customer data in an increasingly

In the coming weeks, expect to see several stories in InformationWeek and at InformationWeek.com that explain and analyze the role that a chief information security officer has come to play within companies. This coverage will include profiles of some of the industry's leading security chiefs who share their experiences, expertise, and frustrations while protecting corporate and customer data in an increasingly hostile environment. For now, let's clear up some of the misconceptions that have evolved around security and the role of CISO.For the sake of simplicity (in this blog, anyway), I use "CISO" to mean director of information security, chief information protection officer, and any other professional whose primary responsibilities are developing and implementing a security strategy to protect their company's data, networks, and systems from attacks (both internal and external) that can result in the loss of data, outages, and/or regulatory violations. You know who you are.

1) Chief information security officers are glorified auditors or risk managers. Yeah, so what's your point? True, CISOs are often charged with helping their companies comply with various government and industry regulations (HIPAA, SOX, PCI, etc.) that could end up costing hundreds of thousands of dollars in fines if those regs are violated. And one of the CISO's greatest responsibilities is making sure their companies aren't placing themselves at risk of having employee or customer data spilled onto the Web's black market for personal information, whether from malicious cyber attacks, lost/stolen laptops laden with company data, or insiders who exceed their access privileges. If that's not enough, some security chiefs sit on their companies' IT employment diversity councils (such as Cigna's Craig Shumard) or work with industry boards such as the Data Link Security Subcommittee to help design the next generation of aircraft (as Continental's Andre Gold does).

To properly manage all of the responsibilities of a CISO, both within a company and in dealing with regulators and customers, "you have to have a slight case of ADHD (Attention Deficit Hyperactivity Disorder)," says Michael Barrett, PayPal's chief information security officer.

2) It's all about the technology. Not necessarily. "We have a paper shredding policy, but an individual can circumvent that by bringing home a piece of paper and throwing it away in their trash," Cigna's Shumard says. "There's no technology to that." Half of Cigna's information protection policies don't address technology controls because the information isn't digital. That's where security awareness among employees comes into play. "We're only as strong as our weakest link, and the weakest link is the person who doesn't know what they're doing," he adds.

Says PayPal's Barrett, "Eighty percent of the effect is in fact psychological. You tell people that you're monitoring even before you implement the technology."

3) Security spending is a bottomless pit because CISOs are chasing a goal that they can never reach. Don't equate strong security with emerging and often complicated technologies, network access control being one that comes to mind. "Good security doesn't necessarily cost more money," Cigna's Shumard says. "Maintaining good health on your desktops is just plain cost effective and it provides good security."

Of course, it's unrealistic to think that any CISO can drive their company's level of risk to zero. Instead, PayPal's Barrett says, a CISO must know how to identify risks and prioritize resources. "And you have to be able to revise the plan as you go along," he adds.

4) Endpoint security should be every company's top priority. A priority, sure, especially given all of the high-profile laptop thefts that have cost organizations lots of money and caused much embarrassment. But today's security concerns shouldn't obscure preparation for new threats. "The browser is really the way people experience the Internet," says Mozilla's chief security something-or-other Window Snyder (I'm not making that up; that's her real title). "It's an incredibly powerful vehicle for changing the way people interact with information, but it's also a primary vector for attack."

5) Vendors will lead the way in mitigating security threats through innovative new products. Let's fix the problems that exist today before we introduce new ones. "I don't encourage vendors to be more innovative, I encourage them to recognize that when a building is crumbling, you don't build scaffolding around that building to prop it up," says AT&T senior VP and chief security officer Ed Amoroso. "You figure out why the building is crumbling." Companies don't need more innovation, "we need more sanity to recognize that we've got vulnerabilities in our software and systems that are so complicated that you have no clue how people get in or don't get in," he adds.

6) The threat landscape changes too quickly to keep up. Hogwash, says PayPal's Barrett. "People could see phishing coming, but they seemed surprised anyway. If you do your crystal ball gazing appropriately, things won't sneak up on you," he says.

7) Every company needs a CISO. Not necessarily. "Organizations first and foremost have to be serious about information risk management before elevating security to the role where you have a CISO or director of information security," Continental's Gold says.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.