|
Title: 8 Dirty Secrets of The Security Industry Post by: oneeyedcarmen on May 08, 2008, 02:12:50 PM Amrit Williams' blog (http://techbuddha.wordpress.com/2008/05/08/8-dirty-secrets-of-the-security-industry/) sums up Joshua Corman's presentation at Interop, creating one of the most entertaining reads I've found in some time...
Remember kids, do not taunt happy fun ball Quote from: Amrit and/or Joshua #0 - Vendors do not need to be ahed of the threat they only need to be ahead of the buyer #1 - AV certifications do not test/require trojans #2 - There is no perimeter #3 - Risk management threatens vendors #4 - There is more to risk than weak software #5 - Compliance threatens security #6 - Vendor blind spots allowed storm #7 - Security has grown well past “Do it yourself” Title: Re: 8 Dirty Secrets of The Security Industry Post by: Fathercat on May 08, 2008, 03:19:02 PM #5 seems so backwards from what we enforce. Compliance for security.
Title: Re: 8 Dirty Secrets of The Security Industry Post by: oneeyedcarmen on May 08, 2008, 03:23:03 PM Quote from: the blog #5 Compliance threatens security When I was with Gartner we would publish a Cyber Threats Hype Cycle and for many years we placed Regulatory Distraction as a threat to enterprise security. The thinking was that being compliant doesn’t = improving security, whereas implementing strong security measures would generally make one compliant. Although we have made strides in defining more prescriptive compliance initiatives many organizations work to pass an audit as opposed to work to implement controls that actually benefit the organizations security program. Title: Re: 8 Dirty Secrets of The Security Industry Post by: CadillacGolfer on May 09, 2008, 11:33:11 AM I think as far as compliance, whether it be SOX, PCI, or whatever it all depends on your/your comapny's approach to it. If all you want it to be is an excercise in checking off boxes, then that is all you will get out of it. Failings of FISMA seem to ring a bell.
If you use complaince to drive real beneficial security changes in an organization, you reap the rewards. I'm not saying its easy to do, but it can be done. Title: Re: 8 Dirty Secrets of The Security Industry Post by: oneeyedcarmen on May 09, 2008, 12:00:20 PM Quote from: CadillacGolfer ...it all depends on your/your comapny's approach to it...If you use complaince to drive real beneficial security changes in an organization, you reap the rewards. You're absolutely correct, and ideally that would be the case. However, with security still being seen as a cost by so many companies (though it's getting better) that may be easier said than done. In so many companies, what the CEO and BOD really care about is being compliant with regs while spending the least money possible to do so. I understand that I work for a business, and that the business of business is business...but if you lose your customer base because you didn't do all you could to protect their info, you'll have no business being in business. Title: Re: 8 Dirty Secrets of The Security Industry Post by: RoleReversal on May 10, 2008, 10:43:32 AM I understand that I work for a business, and that the business of business is business...but if you lose your customer base because you didn't do all you could to protect their info, you'll have no business being in business. wow.... thats a lot of business ;) couldn't agree more though, it seems that current business culture makes it difficult and rare to get full management buy-in for improving security beyond the minimum. Unfortunately the current climate allows the man (& women) at the top can earn as much (and sometimes more) for a golden boot as a golden handshake.
Powered by SMF 1.1.5 |
SMF © 2006-2008, Simple Machines LLC
Joomla Bridge by JoomlaHacks.com |