HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 29 guests and 1 member online
 
Free Business and Tech Magazines and eBooks

You are here: Home arrow Resourcesarrow News from the Outside Worldarrow 8 Dirty Secrets of The Security Industry
EH-Net
May 23, 2013, 12:53:19 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: 8 Dirty Secrets of The Security Industry  (Read 6104 times)
0 Members and 1 Guest are viewing this topic.
oneeyedcarmen
Full Member
***
Offline Offline

Posts: 233


Klaatu, Borada,Necktie?


View Profile
« on: May 08, 2008, 02:12:50 PM »
Amrit Williams' blog sums up Joshua Corman's presentation at Interop, creating one of the most entertaining reads I've found in some time...

Remember kids, do not taunt happy fun ball

Quote from: Amrit and/or Joshua
#0 - Vendors do not need to be ahed of the threat they only need to be ahead of the buyer

#1 - AV certifications do not test/require trojans

#2 - There is no perimeter

#3 - Risk management threatens vendors

#4 - There is more to risk than weak software

#5 - Compliance threatens security

#6 - Vendor blind spots allowed storm

#7 - Security has grown well past “Do it yourself”
Logged
Reluctant CISSP, Certified ASS
Fathercat
Newbie
*
Offline Offline

Posts: 24


View Profile
« Reply #1 on: May 08, 2008, 03:19:02 PM »
#5 seems so backwards from what we enforce.  Compliance for security.
Logged
CISSP
oneeyedcarmen
Full Member
***
Offline Offline

Posts: 233


Klaatu, Borada,Necktie?


View Profile
« Reply #2 on: May 08, 2008, 03:23:03 PM »
Quote from: the blog
#5 Compliance threatens security

When I was with Gartner we would publish a Cyber Threats Hype Cycle and for many years we placed Regulatory Distraction as a threat to enterprise security. The thinking was that being compliant doesn’t = improving security, whereas implementing strong security measures would generally make one compliant. Although we have made strides in defining more prescriptive compliance initiatives many organizations work to pass an audit as opposed to work to implement controls that actually benefit the organizations security program.
Logged
Reluctant CISSP, Certified ASS
CadillacGolfer
Newbie
*
Offline Offline

Posts: 36


View Profile
« Reply #3 on: May 09, 2008, 11:33:11 AM »
I think as far as compliance, whether it be SOX, PCI, or whatever it all depends on your/your comapny's approach to it.  If all you want it to be is an excercise in checking off boxes, then that is all you will get out of it.  Failings of FISMA seem to ring a bell.

If you use complaince to drive real beneficial security changes in an organization, you reap the rewards.   I'm not saying its easy to do, but it can be done.
Logged
oneeyedcarmen
Full Member
***
Offline Offline

Posts: 233


Klaatu, Borada,Necktie?


View Profile
« Reply #4 on: May 09, 2008, 12:00:20 PM »
Quote from: CadillacGolfer
...it all depends on your/your comapny's approach to it...If you use complaince to drive real beneficial security changes in an organization, you reap the rewards.

You're absolutely correct, and ideally that would be the case.  However, with security still being seen as a cost by so many companies (though it's getting better) that may be easier said than done.  In so many companies, what the CEO and BOD really care about is being compliant with regs while spending the least money possible to do so.

I understand that I work for a business, and that the business of business is business...but if you lose your customer base because you didn't do all you could to protect their info, you'll have no business being in business.
Logged
Reluctant CISSP, Certified ASS
Andrew Waite
Hero Member
*****
Offline Offline

Posts: 928



View Profile WWW
« Reply #5 on: May 10, 2008, 10:43:32 AM »
Quote from: oneeyedcarmen on May 09, 2008, 12:00:20 PM
I understand that I work for a business, and that the business of business is business...but if you lose your customer base because you didn't do all you could to protect their info, you'll have no business being in business.

wow.... thats a lot of business Wink

couldn't agree more though, it seems that current business culture makes it difficult and rare to get full management buy-in for improving security beyond the minimum. Unfortunately the current climate allows the man (& women) at the top can earn as much (and sometimes more) for a golden boot as a golden handshake.
Logged
-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.072 seconds with 22 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.