Risk
1/30/2008
04:49 PM
George V. Hulme
George V. Hulme
Commentary
Connect Directly
RSS
E-Mail
50%
50%

The Four (Non) Myths Of IT Security

Some of the reports and surveys security firm Symantec has provided over the years I've found both useful and informative. This most recent report, which hit today, isn't one of them.

Some of the reports and surveys security firm Symantec has provided over the years I've found both useful and informative. This most recent report, which hit today, isn't one of them.I'm still not quite sure what to make of the Symantec IT Risk Management Report Volume II that hit my inbox moments ago. But I know pure spin when I see it. Especially bad spin.

While I haven't had a chance to parse the 50-odd pages, the conclusions of the report are baffling. Even more so considering the findings are targeted toward CISOs, risk managers, as well as compliance and audit professionals. I think some of these professionals may find the report condescending, if not downright insulting.

I'll explain.

The report highlights four myths that the security vendor says it dispels. While these may be "myths" believed by the layperson, or first-year IT professionals, they're certainly not "myths that need to be dispelled" in security circles. At least not by anyone who has ever tried to walk that careful balance between business need and risk mitigation in the real world.

Now, on to the "myths":

Myth One: IT risk is security risk. Because 78% of its respondents ranked availability as a "critical" or "serious" rating of IT risk, Symantec concludes that the "emergence" of a broader view of IT security is underfoot.

Newsflash: Availability always has been a crucial part of the IT security equation, from defending against denial-of-service attacks that choke Web performance to e-mail worms that drag down communications. In fact, availability is part of the IT Security CIA triad: Confidentiality, Integrity, and Availability.

Myth Two: IT risk management is a project. I've yet to hear any chief security officer, security analyst, or even firewall administrator refer to IT risk management as a "project." In nearly every business large enough to have a CIO, risk, compliance manager, IT security and regulatory compliance are treated as long-term programs, not one-off point projects.

Myth Three: Technology alone mitigates IT risk. I dropped my ham and Swiss-cheese sandwich onto my desk when I read this rib-cracker. Again, I've not come across any CISO, chief risk officer, or industry analyst who thought -- let alone ever said -- that technology alone could mitigate IT risk. Most go by the adage that good security is about People, Process, and Technology -- in that order -- when it comes to mitigating risks. Actually, some of the best IT security and risk management technologies available are designed to keep the process in place, and protect people from themselves. And the importance of security awareness has been ranked very high in most every IT security survey I've ever read. Maybe companies should practice what they preach more habitually, but this not a "myth" to be squashed.

Myth Four: IT risk management is a science. "An emerging business discipline, not a science," is how this report describes IT risk management.

Does this need to be stated? To regard IT security and risk management "as a science" flies in the face of the very nature of the CISO or CRO function. Essentially, their job is help the business execute its mission, while keeping risk below or at tolerable levels. And these types of decisions are not scientific, and often amount to a company "gut check."

A simple example would be deciding whether a wireless LAN deployment creates more risk than business or productivity value. If the WLAN can be cost-effectively secured, a WLAN gets the green light. If not, or if the data residing on that network is too valuable to risk, the WLAN would be a no go. These types of decisions are rarely based on science.

This report is a case of the survey respondents knowing exactly what they were saying. It's the interpretation that is bad. These were not myths to be dispelled; rather, they were the early lectures one would expect to hear in Security 101. Symantec should think more highly of its customers.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.