Communications - December 2010

folks in your industry that are being exposed to the same threats. While they may be competitors on the business side, you all have a vested interest in lowering the industrywide threat level. The bad guys talk all the time. If you don’t have industry-specific contacts, you will be at an even larger disadvantage. It’s probably the least expensive thing you can do to increase your security posture.

BEnnETT: Businesses need to understand an attacker’s motivation to steal know-how, systems, and other assets. While the typical goal is to replicate and/or destroy the business, the protection of a business’ reputation and the rigorous understanding of a business’ vulnerabilities are not given the board-level visibility they require. New, young businesses actually understand this better than many medium-size, older businesses.

Attacks may not be just about money and may not be rationally motivated. A motivation for someone to destroy your business may not be “You lose, I win,” but “You lose, I stay the same.” Given the current state of the recession, that cannot be discounted.

CLaRK: When things go wrong, you need to be in a position to understand what happened. That includes not just the technological side but the motivation side as well.

The IT security function needs to have a seat at the management table and directly align with the business’ goals. I asked a CISO (chief information security officer) for a large multinational corporation about his objectives. He said, “My first objective is associated with contributing to the financial success of my business.” That really focused his mind about the profitability and success of the organization and made him a critical player in the achievement of that goal.

EPSTEin: Too many organizations spend their information-security resources on protecting their firewalls and other fairly low-level things such as the protocol stack. The activity these days is all happening in the application layer. While a lot of the small and medium-size organizations are just now getting around to protecting the bottom layer, the bottom isn’t where the problems are anymore.

If you look at the nature of net-

maChE CREEGER
The best advice
is to recognize
what makes you
unique in the
market and think
honestly about how
to protect those
assets. This might
include spending
some money on a
computer-literate
consultant who
could actually help
you think through
that process.

work attacks, Microsoft, Cisco, etc. have done a reasonably good job. Just because they have pushed attackers higher in the service stack, however, doesn’t mean the game is over for us defenders. We have to move our defenses higher as well. We can’t just monitor firewall logs anymore. We now have to monitor application logs, and a lot of applications don’t have logs. While boards have been hearing the mantra of antivirus, firewall, etc., they now need to understand that the threat has moved up the stack, and the defenses have to move there as well.

I think the cloud is, on the whole, a positive thing. As computer scientists, we need to come up with a way to give users advice on how to select a cloud provider. We need the equivalent of Consumer Reports for cloud providers supporting specific industries, especially for small and medium-size businesses.

CREEGER: My take-away is that security is really tied up intimately with the semantics of your business. For a long time, most people have treated security with a one-size-fits solution, usually putting fences around certain critical components without thinking about the real semantics of operations. My impressions from our conversation is not only do IT people need a real seat at the senior management table so they can make substantive contributions to its profitability, but they also need to understand the company’s long-term strategy and operations intimately in order to avoid calamity.

Related articles on queue.acm.org

Lessons from the Letter

Kode Vicious

http://queue.acm.org/detail.cfm?id=1837255

Intellectual Property and Software Piracy: an interview with Aladdin vice president Gregg Gronowski

http://queue.acm.org/detail.cfm?id=1388781

CTO Roundtable: Malware Defense

http://queue.acm.org/detail.cfm?id=1731902

Mache Creeger ( mache@creeger.com) is a technology industry veteran based in Silicon Valley. along with being a columnist for ACM Queue, he is the principal of emergent technology associates, marketing and business development consultants to technology companies worldwide.