|
|
Total Number of Subscribers: 1626 |
|
|
|
|
|
|
|
Date: 26th March 2010 |
Compiled by: M Sathya Kumar |
|
IT security awareness is at an all-time
high, and organizations are spending and hiring in record numbers.
Legislation and regulations are proliferating. Yet, for all this effort,
nearly every statistical measure of IT security performance — from the
number of incidents and vulnerabilities to the cost and impact of a security
breach — is bad news. In what other endeavor would so much investment
be permitted with such poor results? The potential for disruption from malicious
or accidental threats is growing, yet our ability to manage risk has never
been more uncertain. Throwing more money at IT security will not close the
gap. Why has this happened? There are many reasons behind the disconnect
between effort and results. Security is still not a major design criterion in
products, and connectivity is increasing at exponential rates with the move
to mobile platforms. Additionally, security architectures were mostly
developed by vendors interested in providing a rationale for the sale of
products and are not based on a thorough analysis of risks and threats. Arguably, the most significant disconnect is
also the most common misconception in IT security — that it is a
technical problem requiring a technical solution. The technical disconnect For too long, IT security has focused on
technology and minimizes or completely ignores other critical elements of
risk management: people, policy, process and technology. Although many IT
security functions pay lip service to these concepts, little is done to
implement each element equally. Security is multidimensional, requiring a
variety of skills. In addition to technical know-how, security professionals
must work in a competitive business environment and do so in a legal and
ethical manner. People skills require everything from
proficiency in communicating complex issues with non-technical executives, to
demonstrating the expertise required to interview suspects and witnesses. Successful security professionals analyze
risk beyond its simple technical components and incorporate defensible
business impacts to justify budgets and educate decision-makers. Litigation and regulation are now firmly
entrenched in IT. Electronic discovery is the new gold rush in the legal
profession, and responding to discovery orders of digitally stored
information has become a major concern for the general counsel's office. Finally, investigations of security
incidents require extreme legal caution. A patchwork of federal, state and
international torts and laws now govern everything from requirements, to
report security breaches, to issues involving workplace privacy, searches,
monitoring of communications and invasion of privacy. The inexperienced IT
security practitioner is in a legal minefield and probably doesn't even know
it. The recent allegations of improper investigation of HP board members are
a case study in how easily simple investigations can become a legal and
public relations nightmare. A more mature IT security:
Convergence and certification Executives dependent on IT for competitive
advantage confront an increasing requirement to manage risks crossing
functional boundaries. Two initiatives are underway in the security
profession that will meet these challenges and change the way we do business:
convergence and certification. The traditional model of separate functions
for corporate security, physical security and IT security is wasteful and
hinders organizations from managing cross-functional risks. Corporate or
physical security functions are converging with IT security and corporate
risk management. The most visible example of this is the position
of chief security officer (CSO) and the increased investment in implementing
converged security programs. The Alliance of Enterprise Security Risk
Management (a coalition of international security organizations ASIS, ISACA
and the Information Systems Security Association) recently published a report
titled "Convergence of Enterprise Security Organizations," The second initiative, professional
certification, address the needs of converged security by going beyond
demonstrating simple technical competence to recognize the broader skills
required to make risk-based decisions. Examples of these newer certifications
include ISACA's Certified Information Security Manager (CISM) and the
Association of Certified Fraud Examiners' Certified Fraud Examiner (CFE). These certifications require both knowledge
and experience in multiple skill domains of their respective disciplines. Experience-based certifications help
organizations hire the most qualified individuals and address due diligence
requirements, and they will become a job requirement. The future The future is now. IT security engineers and
managers who do not develop the competencies required to incorporate legal,
business and investigative skills will increasingly find their career
opportunities limited. Organizations are looking for better results in
managing risk and looking to do it for a lower cost. Contrary to popular opinion, these are not
mutually exclusive. To accomplish it, a stronger security profession is
required that understands and works with strategic decision-makers to
effectively manage risk across all security domains. -Kent
Anderson is the founder and managing director of Network Risk Management LLC
and a member of ISACA's CISM Certification Board. |
|
|
|
|
|
|
|
|
Rewards
waiting for feedback at |
|
|
|
|
|
Disclaimer: We believe that the information contained in this e-zine is true. If you do not wish to receive Smart Trainee please click here. |
|
|
|
|
|
Click here to contact us, if you are unable to view the content properly |
|
|
|
|
|
|
|
