Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/10/2008
04:45 PM
Rob Preston
Rob Preston
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Down To Business: It's Past Time To Elevate The Infosec Conversation

At the RSA conference, the security discussion was about helping customers innovate and deliver business value.

The RSA Conference, the annual security fest hosted by EMC unit RSA, is to the information security industry what the New Hampshire primary is to the presidential election process: the first major venue for the leading players to set the tone and frame the discussion for the coming year.

Last year, RSA chief Art Coviello championed industry consolidation, arguing that as a handful of major vendors (EMC, Cisco, IBM, Microsoft) built security into their infrastructure platforms, standalone security challengers would fall by the wayside--all within three years. "If I'm proven wrong about the timing," Coviello said last year, "I won't be proven wrong in the need for this." The likes of Symantec and McAfee begged to differ, and the industry continues to debate the strengths and weaknesses of all-in-one security architectures.

RSA, as host vendor, sought to exploit its home turf advantage again last week, when Coviello struck a different tone. Instead of focusing on industry restructuring and technology architectures, he elevated the security discussion to one about helping customers innovate and deliver business value.

More than 80% of the IT, security, and business executives RSA recently surveyed with IDC "admit that their organizations have shied away from business innovation opportunities because of information security concerns," Coviello told the RSA audience. The main challenge: Move the internal conversation about security away from fear mongering and worst-case scenarios toward how security can augment new products and services. Or at least don't get in the way. It's tantamount to the security pro's Hippocratic oath: First, do no harm.

While RSA offers no elixir for making security a "business enabler," it has created a Security for Business Innovation Council to get security pros talking about the issue. RSA quotes member David Kent, VP of security for biotech company Genzyme: "If you are doing your job, you shouldn't even sound like a security person. The business doesn't care how many viruses you stopped. ... 'How are you helping me meet my business objectives?'"

Likewise, InformationWeek contributor Greg Shipley, CTO of security consultancy Neohapsis, urges security pros to integrate risk management into all processes. They also need to get better at understanding and relating to their internal audiences, assessing which data to assign the most protection, and picking their battles and technologies more carefully. "For some organizations," Shipley writes, "this will require a wholesale transformation."(See Risk Management: Do It Now, Do It Right.)

It's still early in this evolution. When asked last year how their companies measure the value of their security investments, the 1,100 U.S. respondents to InformationWeek's Global Information Security Survey offered a stew of mostly operational criteria: 43% said they measured value in terms of reduced worker hours spent on security; 33% measured it in reduced breaches; 33% in reduced network downtime; and 24% in reduced incident response times. With the exception of improving intellectual property protection (27%) and honing risk management strategies (25%), none of the criteria selected relates to business value. In fact, 24% of the respondents didn't measure the value of their security investments at all.

The sooner security pros can converse in the language of risk mitigation and business opportunity, the more they'll be involved in strategic planning and the less they'll be considered a cost center.

Compare Coviello's nuanced approach to the classic fire and brimstone of Homeland Security Secretary Michael Chertoff, who at RSA last week warned that a large-scale cyberattack on the United States could inflict damage comparable to the Sept. 11, 2001, terrorist attacks. Chertoff likened U.S. government efforts to improve cybersecurity to the Manhattan Project, which developed the atomic bomb.

Chertoff has his own unique war to fight; enterprise security pros may want to use Manhattan Project metaphors sparingly.

Rob Preston,
VP and Editor in Chief
[email protected]

To find out more about Rob Preston, please visit his page.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16632
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
CVE-2021-32073
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
CVE-2021-33033
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
CVE-2021-33034
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
CVE-2019-25044
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.