Risk
1/30/2008
04:49 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

The Four (Non) Myths Of IT Security

Some of the reports and surveys security firm Symantec has provided over the years I've found both useful and informative. This most recent report, which hit today, isn't one of them.

Some of the reports and surveys security firm Symantec has provided over the years I've found both useful and informative. This most recent report, which hit today, isn't one of them.I'm still not quite sure what to make of the Symantec IT Risk Management Report Volume II that hit my inbox moments ago. But I know pure spin when I see it. Especially bad spin.

While I haven't had a chance to parse the 50-odd pages, the conclusions of the report are baffling. Even more so considering the findings are targeted toward CISOs, risk managers, as well as compliance and audit professionals. I think some of these professionals may find the report condescending, if not downright insulting.

I'll explain.

The report highlights four myths that the security vendor says it dispels. While these may be "myths" believed by the layperson, or first-year IT professionals, they're certainly not "myths that need to be dispelled" in security circles. At least not by anyone who has ever tried to walk that careful balance between business need and risk mitigation in the real world.

Now, on to the "myths":

Myth One: IT risk is security risk. Because 78% of its respondents ranked availability as a "critical" or "serious" rating of IT risk, Symantec concludes that the "emergence" of a broader view of IT security is underfoot.

Newsflash: Availability always has been a crucial part of the IT security equation, from defending against denial-of-service attacks that choke Web performance to e-mail worms that drag down communications. In fact, availability is part of the IT Security CIA triad: Confidentiality, Integrity, and Availability.

Myth Two: IT risk management is a project. I've yet to hear any chief security officer, security analyst, or even firewall administrator refer to IT risk management as a "project." In nearly every business large enough to have a CIO, risk, compliance manager, IT security and regulatory compliance are treated as long-term programs, not one-off point projects.

Myth Three: Technology alone mitigates IT risk. I dropped my ham and Swiss-cheese sandwich onto my desk when I read this rib-cracker. Again, I've not come across any CISO, chief risk officer, or industry analyst who thought -- let alone ever said -- that technology alone could mitigate IT risk. Most go by the adage that good security is about People, Process, and Technology -- in that order -- when it comes to mitigating risks. Actually, some of the best IT security and risk management technologies available are designed to keep the process in place, and protect people from themselves. And the importance of security awareness has been ranked very high in most every IT security survey I've ever read. Maybe companies should practice what they preach more habitually, but this not a "myth" to be squashed.

Myth Four: IT risk management is a science. "An emerging business discipline, not a science," is how this report describes IT risk management.

Does this need to be stated? To regard IT security and risk management "as a science" flies in the face of the very nature of the CISO or CRO function. Essentially, their job is help the business execute its mission, while keeping risk below or at tolerable levels. And these types of decisions are not scientific, and often amount to a company "gut check."

A simple example would be deciding whether a wireless LAN deployment creates more risk than business or productivity value. If the WLAN can be cost-effectively secured, a WLAN gets the green light. If not, or if the data residing on that network is too valuable to risk, the WLAN would be a no go. These types of decisions are rarely based on science.

This report is a case of the survey respondents knowing exactly what they were saying. It's the interpretation that is bad. These were not myths to be dispelled; rather, they were the early lectures one would expect to hear in Security 101. Symantec should think more highly of its customers.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8891
Published: 2015-03-06
Unspecified vulnerability in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 5.0 before SR16-FP9, 6 before SR16-FP3, 6R1 before SR8-FP3, 7 before SR8-FP10, and 7R1 before SR2-FP10 allows remote attackers to escape the Java sandbox and execute arbitrary code via unspecified vectors...

CVE-2014-8892
Published: 2015-03-06
Unspecified vulnerability in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 5.0 before SR16-FP9, 6 before SR16-FP3, 6R1 before SR8-FP3, 7 before SR8-FP10, and 7R1 before SR2-FP10 allows remote attackers to bypass intended access permissions and obtain sensitive information via un...

CVE-2015-1170
Published: 2015-03-06
The NVIDIA Display Driver R304 before 309.08, R340 before 341.44, R343 before 345.20, and R346 before 347.52 does not properly validate local client impersonation levels when performing a "kernel administrator check," which allows local users to gain administrator privileges via unspecified API call...

CVE-2015-1637
Published: 2015-03-06
Schannel (aka Secure Channel) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly restrict TLS state transitions, which makes it easier for r...

CVE-2014-2130
Published: 2015-03-05
Cisco Secure Access Control Server (ACS) provides an unintentional administration web interface based on Apache Tomcat, which allows remote authenticated users to modify application files and configuration files, and consequently execute arbitrary code, by leveraging administrative privileges, aka B...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.