8 Dirty Secrets of The Security Industry

Viewing 5 reply threads
  • Author
    Posts
    • #2401
      oneeyedcarmen
      Participant

      Amrit Williams’ blog sums up Joshua Corman’s presentation at Interop, creating one of the most entertaining reads I’ve found in some time…

      Remember kids, do not taunt happy fun ball

      Amrit and/or Joshua wrote:
      #0 – Vendors do not need to be ahed of the threat they only need to be ahead of the buyer

      #1 – AV certifications do not test/require trojans

      #2 – There is no perimeter

      #3 – Risk management threatens vendors

      #4 – There is more to risk than weak software

      #5 – Compliance threatens security

      #6 – Vendor blind spots allowed storm

      #7 – Security has grown well past “Do it yourself”

    • #17793
      Fathercat
      Participant

      #5 seems so backwards from what we enforce.  Compliance for security.

    • #17794
      oneeyedcarmen
      Participant
      the blog wrote:
      #5 Compliance threatens security

      When I was with Gartner we would publish a Cyber Threats Hype Cycle and for many years we placed Regulatory Distraction as a threat to enterprise security. The thinking was that being compliant doesn’t = improving security, whereas implementing strong security measures would generally make one compliant. Although we have made strides in defining more prescriptive compliance initiatives many organizations work to pass an audit as opposed to work to implement controls that actually benefit the organizations security program.

    • #17795
      CadillacGolfer
      Participant

      I think as far as compliance, whether it be SOX, PCI, or whatever it all depends on your/your comapny’s approach to it.  If all you want it to be is an excercise in checking off boxes, then that is all you will get out of it.  Failings of FISMA seem to ring a bell.

      If you use complaince to drive real beneficial security changes in an organization, you reap the rewards.  I’m not saying its easy to do, but it can be done.

    • #17796
      oneeyedcarmen
      Participant
      CadillacGolfer wrote:
      …it all depends on your/your comapny’s approach to it…If you use complaince to drive real beneficial security changes in an organization, you reap the rewards.

      You’re absolutely correct, and ideally that would be the case.  However, with security still being seen as a cost by so many companies (though it’s getting better) that may be easier said than done.  In so many companies, what the CEO and BOD really care about is being compliant with regs while spending the least money possible to do so.

      I understand that I work for a business, and that the business of business is business…but if you lose your customer base because you didn’t do all you could to protect their info, you’ll have no business being in business.

    • #17797
      RoleReversal
      Participant

      @oneeyedcarmen wrote:

      I understand that I work for a business, and that the business of business is business…but if you lose your customer base because you didn’t do all you could to protect their info, you’ll have no business being in business.

      wow…. thats a lot of business 😉

      couldn’t agree more though, it seems that current business culture makes it difficult and rare to get full management buy-in for improving security beyond the minimum. Unfortunately the current climate allows the man (& women) at the top can earn as much (and sometimes more) for a golden boot as a golden handshake.

Viewing 5 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?