Access your Pro+ Content below.
Executive viewpoint: Mixed messages on software security
This article is part of the November 2013 Vol. 15 / No. 9 issue of Information Security magazine
(ISC)2 issued their Global Information Security Workforce Study during the RSA Conference in February; so when their own Security Congress 2013 event opened in Chicago this fall, they were looking for something fresh to say. The solution was a recut of the original data, focusing solely on the responses from the 1,634 respondents "with security executive titles." The results in "A View From the Top: The (ISC)2 Global Information Security Workforce Study CXO Report" largely tracked with the broader Global Workforce Study, but did uncover a strange paradox. The top priority or "concern" was application security, but it also ranked as the lowest priority in terms of time spent. CISOs may not manage or have direct oversight of development teams, 'but they can handle the software security group.' Gary McGraw, CTO, Cigital It's a big mismatch, and respondents in this report aren't exactly the slackers in the room. They've been in the security discipline for more than 14 years on average; 12% of them have been at it 25 years or more. ...
Features in this issue
Companies have embraced virtualization and cloud computing, but security is still bolted-on. Here's what needs to change.
In the November 2013 Beyond the Page on virtual security, Chris Hoff examines the challenges infosec pros face in finding the right security strategy for their enterprise network.
Enterprises cannot always keep attackers out of their networks. Instead, defense-in-depth strategies aim to raise the cost to black hats -- in terms of time and money.
Software security ranks high among security executives' concerns but low in terms of time spent, according to an (ISC)2 CXO study.
Columns in this issue
If software security keeps you up at night -- and it should -- you are in good company.
Wading into the murky waters of security metrics? Jay Jacobs offers his take on data collection and incident reporting with the VERIS framework.
What's a dollar spent on security worth in terms of risk? Break-even analysis helps you decide.