folks in your industry that are being
exposed to the same threats. While
they may be competitors on the business side, you all have a vested interest
in lowering the industrywide threat
level. The bad guys talk all the time.
If you don’t have industry-specific
contacts, you will be at an even larger
disadvantage. It’s probably the least
expensive thing you can do to increase
your security posture.
BEnnETT: Businesses need to understand an attacker’s motivation to
steal know-how, systems, and other
assets. While the typical goal is to replicate and/or destroy the business, the
protection of a business’ reputation
and the rigorous understanding of a
business’ vulnerabilities are not given
the board-level visibility they require.
New, young businesses actually understand this better than many medium-size, older businesses.
Attacks may not be just about
money and may not be rationally motivated. A motivation for someone to
destroy your business may not be “You
lose, I win,” but “You lose, I stay the
same.” Given the current state of the
recession, that cannot be discounted.
CLaRK: When things go wrong, you
need to be in a position to understand
what happened. That includes not just
the technological side but the motivation side as well.
The IT security function needs to
have a seat at the management table
and directly align with the business’
goals. I asked a CISO (chief information security officer) for a large multinational corporation about his objectives. He said, “My first objective
is associated with contributing to the
financial success of my business.”
That really focused his mind about the
profitability and success of the organization and made him a critical player
in the achievement of that goal.
EPSTEin: Too many organizations
spend their information-security resources on protecting their firewalls
and other fairly low-level things such
as the protocol stack. The activity
these days is all happening in the application layer. While a lot of the small
and medium-size organizations are
just now getting around to protecting the bottom layer, the bottom isn’t
where the problems are anymore.
If you look at the nature of net-
maChE CREEGER
The best advice
is to recognize
what makes you
unique in the
market and think
honestly about how
to protect those
assets. This might
include spending
some money on a
computer-literate
consultant who
could actually help
you think through
that process.
work attacks, Microsoft, Cisco, etc.
have done a reasonably good job. Just
because they have pushed attackers
higher in the service stack, however,
doesn’t mean the game is over for us
defenders. We have to move our defenses higher as well. We can’t just
monitor firewall logs anymore. We
now have to monitor application logs,
and a lot of applications don’t have
logs. While boards have been hearing
the mantra of antivirus, firewall, etc.,
they now need to understand that the
threat has moved up the stack, and the
defenses have to move there as well.
I think the cloud is, on the whole,
a positive thing. As computer scientists, we need to come up with a way
to give users advice on how to select
a cloud provider. We need the equivalent of Consumer Reports for cloud
providers supporting specific industries, especially for small and medium-size businesses.
CREEGER: My take-away is that security is really tied up intimately with the
semantics of your business. For a long
time, most people have treated security with a one-size-fits solution, usually
putting fences around certain critical
components without thinking about
the real semantics of operations. My
impressions from our conversation is
not only do IT people need a real seat
at the senior management table so
they can make substantive contributions to its profitability, but they also
need to understand the company’s
long-term strategy and operations intimately in order to avoid calamity.
Related articles
on queue.acm.org
Lessons from the Letter
Kode Vicious
http://queue.acm.org/detail.cfm?id=1837255
Intellectual Property and Software Piracy:
an interview with Aladdin vice president
Gregg Gronowski
http://queue.acm.org/detail.cfm?id=1388781
CTO Roundtable: Malware Defense
http://queue.acm.org/detail.cfm?id=1731902
Mache Creeger ( mache@creeger.com) is a technology
industry veteran based in Silicon Valley. along with
being a columnist for ACM Queue, he is the principal
of emergent technology associates, marketing and
business development consultants to technology
companies worldwide.