06:20 PM

7 Security Myths Busted

In the coming weeks, expect to see several stories in InformationWeek and at InformationWeek.com that explain and analyze the role that a chief information security officer has come to play within companies. This coverage will include profiles of some of the industry's leading security chiefs who share their experiences, expertise, and frustrations while protecting corporate and customer data in an increasingly

In the coming weeks, expect to see several stories in InformationWeek and at InformationWeek.com that explain and analyze the role that a chief information security officer has come to play within companies. This coverage will include profiles of some of the industry's leading security chiefs who share their experiences, expertise, and frustrations while protecting corporate and customer data in an increasingly hostile environment. For now, let's clear up some of the misconceptions that have evolved around security and the role of CISO.For the sake of simplicity (in this blog, anyway), I use "CISO" to mean director of information security, chief information protection officer, and any other professional whose primary responsibilities are developing and implementing a security strategy to protect their company's data, networks, and systems from attacks (both internal and external) that can result in the loss of data, outages, and/or regulatory violations. You know who you are.

1) Chief information security officers are glorified auditors or risk managers. Yeah, so what's your point? True, CISOs are often charged with helping their companies comply with various government and industry regulations (HIPAA, SOX, PCI, etc.) that could end up costing hundreds of thousands of dollars in fines if those regs are violated. And one of the CISO's greatest responsibilities is making sure their companies aren't placing themselves at risk of having employee or customer data spilled onto the Web's black market for personal information, whether from malicious cyber attacks, lost/stolen laptops laden with company data, or insiders who exceed their access privileges. If that's not enough, some security chiefs sit on their companies' IT employment diversity councils (such as Cigna's Craig Shumard) or work with industry boards such as the Data Link Security Subcommittee to help design the next generation of aircraft (as Continental's Andre Gold does).

To properly manage all of the responsibilities of a CISO, both within a company and in dealing with regulators and customers, "you have to have a slight case of ADHD (Attention Deficit Hyperactivity Disorder)," says Michael Barrett, PayPal's chief information security officer.

2) It's all about the technology. Not necessarily. "We have a paper shredding policy, but an individual can circumvent that by bringing home a piece of paper and throwing it away in their trash," Cigna's Shumard says. "There's no technology to that." Half of Cigna's information protection policies don't address technology controls because the information isn't digital. That's where security awareness among employees comes into play. "We're only as strong as our weakest link, and the weakest link is the person who doesn't know what they're doing," he adds.

Says PayPal's Barrett, "Eighty percent of the effect is in fact psychological. You tell people that you're monitoring even before you implement the technology."

3) Security spending is a bottomless pit because CISOs are chasing a goal that they can never reach. Don't equate strong security with emerging and often complicated technologies, network access control being one that comes to mind. "Good security doesn't necessarily cost more money," Cigna's Shumard says. "Maintaining good health on your desktops is just plain cost effective and it provides good security."

Of course, it's unrealistic to think that any CISO can drive their company's level of risk to zero. Instead, PayPal's Barrett says, a CISO must know how to identify risks and prioritize resources. "And you have to be able to revise the plan as you go along," he adds.

4) Endpoint security should be every company's top priority. A priority, sure, especially given all of the high-profile laptop thefts that have cost organizations lots of money and caused much embarrassment. But today's security concerns shouldn't obscure preparation for new threats. "The browser is really the way people experience the Internet," says Mozilla's chief security something-or-other Window Snyder (I'm not making that up; that's her real title). "It's an incredibly powerful vehicle for changing the way people interact with information, but it's also a primary vector for attack."

5) Vendors will lead the way in mitigating security threats through innovative new products. Let's fix the problems that exist today before we introduce new ones. "I don't encourage vendors to be more innovative, I encourage them to recognize that when a building is crumbling, you don't build scaffolding around that building to prop it up," says AT&T senior VP and chief security officer Ed Amoroso. "You figure out why the building is crumbling." Companies don't need more innovation, "we need more sanity to recognize that we've got vulnerabilities in our software and systems that are so complicated that you have no clue how people get in or don't get in," he adds.

6) The threat landscape changes too quickly to keep up. Hogwash, says PayPal's Barrett. "People could see phishing coming, but they seemed surprised anyway. If you do your crystal ball gazing appropriately, things won't sneak up on you," he says.

7) Every company needs a CISO. Not necessarily. "Organizations first and foremost have to be serious about information risk management before elevating security to the role where you have a CISO or director of information security," Continental's Gold says.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.