.

8 Dirty Secrets of The Security Industry

<<

oneeyedcarmen

User avatar

Full Member
Full Member

Posts: 233

Joined: Thu Jul 05, 2007 2:13 pm

Location: Baltimore, MD USA

Post Thu May 08, 2008 2:12 pm

8 Dirty Secrets of The Security Industry

Amrit Williams' blog sums up Joshua Corman's presentation at Interop, creating one of the most entertaining reads I've found in some time...

Remember kids, do not taunt happy fun ball

[quote=Amrit and/or Joshua]#0 - Vendors do not need to be ahed of the threat they only need to be ahead of the buyer

#1 - AV certifications do not test/require trojans

#2 - There is no perimeter

#3 - Risk management threatens vendors

#4 - There is more to risk than weak software

#5 - Compliance threatens security

#6 - Vendor blind spots allowed storm

#7 - Security has grown well past “Do it yourself”[/quote]
Reluctant CISSP, Certified ASS
<<

Fathercat

Newbie
Newbie

Posts: 24

Joined: Wed May 07, 2008 9:23 am

Location: St Louis

Post Thu May 08, 2008 3:19 pm

Re: 8 Dirty Secrets of The Security Industry

#5 seems so backwards from what we enforce.  Compliance for security.


CISSP
<<

oneeyedcarmen

User avatar

Full Member
Full Member

Posts: 233

Joined: Thu Jul 05, 2007 2:13 pm

Location: Baltimore, MD USA

Post Thu May 08, 2008 3:23 pm

Re: 8 Dirty Secrets of The Security Industry

[quote=the blog]#5 Compliance threatens security

When I was with Gartner we would publish a Cyber Threats Hype Cycle and for many years we placed Regulatory Distraction as a threat to enterprise security. The thinking was that being compliant doesn’t = improving security, whereas implementing strong security measures would generally make one compliant. Although we have made strides in defining more prescriptive compliance initiatives many organizations work to pass an audit as opposed to work to implement controls that actually benefit the organizations security program.
[/quote]
Reluctant CISSP, Certified ASS
<<

CadillacGolfer

Newbie
Newbie

Posts: 36

Joined: Thu Dec 14, 2006 1:58 pm

Post Fri May 09, 2008 11:33 am

Re: 8 Dirty Secrets of The Security Industry

I think as far as compliance, whether it be SOX, PCI, or whatever it all depends on your/your comapny's approach to it.  If all you want it to be is an excercise in checking off boxes, then that is all you will get out of it.  Failings of FISMA seem to ring a bell.

If you use complaince to drive real beneficial security changes in an organization, you reap the rewards.  I'm not saying its easy to do, but it can be done.
<<

oneeyedcarmen

User avatar

Full Member
Full Member

Posts: 233

Joined: Thu Jul 05, 2007 2:13 pm

Location: Baltimore, MD USA

Post Fri May 09, 2008 12:00 pm

Re: 8 Dirty Secrets of The Security Industry

[quote=CadillacGolfer]...it all depends on your/your comapny's approach to it...If you use complaince to drive real beneficial security changes in an organization, you reap the rewards.[/quote]

You're absolutely correct, and ideally that would be the case.  However, with security still being seen as a cost by so many companies (though it's getting better) that may be easier said than done.  In so many companies, what the CEO and BOD really care about is being compliant with regs while spending the least money possible to do so.

I understand that I work for a business, and that the business of business is business...but if you lose your customer base because you didn't do all you could to protect their info, you'll have no business being in business.
Reluctant CISSP, Certified ASS
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Sat May 10, 2008 10:43 am

Re: 8 Dirty Secrets of The Security Industry

oneeyedcarmen wrote:I understand that I work for a business, and that the business of business is business...but if you lose your customer base because you didn't do all you could to protect their info, you'll have no business being in business.


wow.... thats a lot of business ;)

couldn't agree more though, it seems that current business culture makes it difficult and rare to get full management buy-in for improving security beyond the minimum. Unfortunately the current climate allows the man (& women) at the top can earn as much (and sometimes more) for a golden boot as a golden handshake.

Return to News from the Outside World

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software