This article can also be found in the Premium Editorial Download "Information Security magazine: Winners of Information Security magazine's Security 7 Award."
Download it now to read this article plus other related content.
This is the fifth year we've handed out the Security 7 Award, a milestone for sure. We've recognized some of the best minds in the security industry, be they pioneers such as Dorothy Denning or Gene Spafford, or folks such as Michael Daly, Stephen Bonner or Richard Jackson who don't have the same name recognition, but were held in such high regard by colleagues and contemporaries that they were nominated for our annual award and put on equal footing.
And while ultimately the award is for the people being recognized, it's really about the work they do and how they're adjusting to threats, managing risk and fitting in with the business. Looking back at the accomplishments of all the nominees from the past five years, it's a tidy, packaged look at how the security industry has matured. Some of the early winners were just starting to talk about the need to keep personally identifiable information safe and dabbling with bits and pieces of identity management, such as provisioning systems. Slowly, the conversations turned toward risk management, and the integration and alignment of information security with the business.
This kind of movement is important to monitor and learn from; we're fortunate to have the Security 7 winners with us to chronicle their successes and struggles. A year ago, we turned the presentation of the awards in our publication over to the winners, inviting them to write first-person essays on a security issue they were passionate about. This year's
I urge you to absorb what they've written and look for new trends that may be landing on your plate in short order.
One is the issue of third-party security. Perimeters truly don't exist any more in the enterprise. Mobile devices extend and connect your employees outside the four walls of your office, and surely that's responsible for a fair share of grey hair. But an emerging and bigger risk stems from business partners who need access to your data, not to mention the emerging paradigm of risk presented by cloud computing.
Businesses need to find ways to address these risks without impeding the crucial business benefits presented by third-party relationships. You have to look into frameworks that will help you audit the security of your providers. You have to ensure that their policies closely align with yours. You have to be satisfied, not only with their infrastructure protections but access controls, and hammer out liability issues if they are breached.
Some of our Security 7 winners recognize that sometimes, bad things come in threes -- or in this case, thirds. They've already instituted extensive programs that examine the security posture of those they do business with. They understand risks and how they can quickly unchecked third-party relationships can take down a critical server or network segment, doing measurable harm to a company's bottom line. They're ahead of the curve and setting a standard for the next five years of information security. Learn from these people, for right now they represent the best of your profession. And remember that there's plenty of room on the Security 7 honor roll for the innovators of tomorrow's security initiatives.
Michael S. Mimoso is Editor of Information Security. Send comments on this column to firstname.lastname@example.org.
This was first published in October 2009