Risk

9/25/2013
10:01 AM
50%
50%

Five Habits IT Security Professionals Need To Break

To move forward, security pros need to break old thinking, (ISC)2 Congress panel says

CHICAGO -- (ISC)2 Congress 2013 -- If security professionals want to take their craft in new directions, then they need to stop thinking in old ways, experts said in a panel here Tuesday.

In a panel, entitled "Cyber Security -- Where the Industry Is Headed Next Year and Beyond," seven industry leaders said security is sometimes stuck in a continuous loop because professionals continue to make the same mistakes and sometimes have trouble thinking in new ways.

Five examples of bad habits that security pros need to break, according to the panel:

1. Treating IT security as something that's separate from the business
"We need to stop approaching security as something technical that users and executives can't understand," said Spencer Wilcox, security strategist at Excelon. "Sell your executives on your security program -- gamify it, and make it interesting to your executives and your users."

"Be aware of what's happening at the business level," said Tony Vargas, technical leader for engineering at Cisco Systems. "Don't separate yourself from it."

2. Saying "no"
"Too often, security as seen as an obstacle to the business, instead of an enabler," Vargas said. "You need to get people involved, make them part of the solution, rather than seeing security as something that's in the way."

"We need to stop saying 'no' and start asking 'why,'" said Erin Jacobs, founding partner at Urbane Security. "Most of the time, when users try to go around security, it's because they're just trying to get their work done. We need to help them with what they're doing, rather than telling them what they can't do."

3. Preaching to the choir
"We go to these conferences, and it's security people talking to other security people about how important security is," observed Javvad Malik, a security analyst at 451 Research. "It's become a sort of echo chamber. We need to get out and talk to the people who really need to understand the message."

"Business has been following an institutionalized view of risk management for years, and that view doesn't include IT security," noted Forrest Foster, chief security architect at Cisco. "We need to get into the business schools and talk about IT security risk."

Confusing security and compliance
"Too many security professionals are moving away from doing real security and are doing more in compliance," said Malik. "We don't need more auditors."

"Some security pros have become glorified security assessors and auditors," Jacobs said. "What's ironic is that a lot of them are not necessarily qualified for that job."

Failing to reach out to students and young professionals
"There is a dire shortage of infosec talent out there, and it's hurting all of us," said Dan Waddell, solution lead for the global public sector at Grant Thornton. "We need to build a pipeline of young people we can hire."

"We need to get ourselves and our security message into schools," said James McQuiggan, a member of the security team at Siemens Energy. "Anyone over the age of 35 today is a digital immigrant. Those who are younger, who grew up on the Internet, are the digital natives. We need to get our message of security to those people early."

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AlanP596
50%
50%
AlanP596,
User Rank: Apprentice
10/4/2013 | 5:16:38 AM
re: Five Habits IT Security Professionals Need To Break
To convince anyone to do anything, a common vocabulary is required. The business will never understand security until pain occurs. However, it is the duty of the risk practioner to speak the language of the business. Think like a CFO! Identity the assets that would experience a financial loss from likely threats to measure risk and NEVER spend $1 to protect $.10.
ScottL764
50%
50%
ScottL764,
User Rank: Apprentice
9/27/2013 | 12:58:38 PM
re: Five Habits IT Security Professionals Need To Break
Based on this outdated view - I think the "Security Panel" needs to spend less time in their offices and more time rubbing shoulders with us in the trenches. The only ones I would give credence to are points #3 and #5 - the rest of them might have been applicable 10 years ago but are outdated now.
Mark T. Arrow
50%
50%
Mark T. Arrow,
User Rank: Apprentice
9/26/2013 | 6:24:50 PM
re: Five Habits IT Security Professionals Need To Break
Most failures revolve around missing the value proposition. We end up positing centuries around dumpsters. We lose our 1000 yard stairs.
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11763
PUBLISHED: 2018-09-25
In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.
CVE-2018-14634
PUBLISHED: 2018-09-25
An integer overflow flaw was found in the Linux kernel's create_elf_tables() function. An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system. Kernel versions 2.6.x, 3.10.x and 4.14.x are believed to be vulnerabl...
CVE-2018-1664
PUBLISHED: 2018-09-25
IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 echoing of AMP management interface authorization headers exposes login credentials in browser cache. ...
CVE-2018-1669
PUBLISHED: 2018-09-25
IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote atta...
CVE-2018-1539
PUBLISHED: 2018-09-25
IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6 could allow remote attackers to bypass authentication via a direct request or forced browsing to a page other than URL intended. IBM X-Force ID: 142561.