Sunil Bhargava: It might appear that the security industry isn’t making as much progress as we might expect against increasingly sophisticated and damaging exploits. When we step back to assess the reasons there doesn’t appear to be more progress we have to consider if we’re doing anything different today than we were doing five years ago. We reviewed a new book – Enterprise Information Security and Privacy (Artech House, 2009) – and interviewed one of the editors, Warren Axelrod, in our First Person Series podcast “Busting Security Myths”. This book focuses on new thinking and has many stellar contributors, subject matter experts from several verticals like financial, telecommunications, energy and transportation. Here’s Warren Axelrod, one of the editors, giving a preview of what new information the book provides.
From the desk of Warren Axelrod: In the new book Enterprise Information Security and Privacy, edited by Jennifer Bayuk, Dan Schutzer and me, we quoted Marshal McLuhan, who stated:
Our Age of Anxiety is, in great part, the result of trying to do today’s job with yesterday’s tools and yesterday’s concepts.
We editors went to great lengths to persuade those in the information security field, who are forward-looking, to write for the book and come up with innovative and effective approaches to improving the security and privacy of our systems and processes. We didn’t confine ourselves to “Young Turks” who might question everything but not have any useful solutions. We found that even someone, such as Donn Parker, who has been in the field for more than 35 years, can question “hand-me-down” security myths and suggest better ways of tackling security risk, for example.
But there are many in our profession who are not as imaginative and follow the well-trod paths. We still hear the mantra of “complex passwords” in response to phishing and session hijacking which allow the bad guys to gain access regardless of how complex passwords might be. We are regularly admonished about “data leakage prevention” when most organizations, as Jennifer Bayuk describes in her chapter, haven’t even classified their data or even knows where the data might be at every point in time. Many practitioners are not familiar with the security and privacy laws and regulations that impact their every day decision and will benefit greatly from Tom Smedinghoff’s chapter. What about the energy industry? Peter Curtis gives us an insider’s view of the security issues confronted in that sector.
We could go on and on about areas in which security and privacy professionals are backward-facing and are missing the demands and complexities of the evolving computer and network environments. It is shameful since there are many tools and practices that can reduce security risk and lead to more trustworthy environments; they are just not being used. A number of security officers, with whom I have spoken, have their heads in the sand. They seem to think that if they are not aware of a vulnerability or exploit, then they won’t be held accountable when things go awry. Experience has shown that this is not the case. It behooves security and privacy managers to install monitoring probes wherever feasible and work through the logs using automated methods in order to reveal improper behavior. They need to be thinking ahead as technologies like virtualization and cloud computing burst into the IT world.
You can’t steer a car by looking at the rear-view mirror, and you can’t manage security by relying solely on methods and approaches that have been successful in the past. Some of these techniques don’t have the impact they once had. There is a growing recognition that a huge research and development effort is needed to address the rapidly increasing number, complexity and sophistication of threats. However, if we were to use the many tools and good practices, which are already available to us, in meaningful ways, we could achieve a significantly higher level of security, privacy, trustworthiness and safety. This is a pragmatic course of action that can be taken while we wait for the silver bullet that may never come.
Comments