Security 7 Award winners tackle important information security issues


This article can also be found in the Premium Editorial Download "Information Security magazine: Security 7 Award winners sound off on key information security issues."

Download it now to read this article plus other related content.


strategic planning
Prerequisite Strategy by Mark Weatherford

When the wolves are at the door--and they're at the door every day--it can be difficult to focus strategically on where we think the threat may be in three or five years and what our reaction should be. That, however, does not preclude the requirement for the CISO to set the strategic course.

So once a year, we gather our team at an off-site meeting to create--drum roll, please--the Strategic Plan, which often ends up being more tactical than strategic. The result is that we end up without a true strategy because we haven't devoted the deep thought necessary to create a vision worthy of being called a Strategic Plan. I've done the annual strategic plan dance more times than I care to admit because creating a Strategic Plan takes real time and real effort, which is difficult to justify when you find yourself in more of a firefighter role than a CISO.

Perhaps if we'd done a better job as an industry in our strategic planning and thinking, we wouldn't be overrun with the poorly coded applications we have today that just beg for a hacker's attention. In retrospect, my strategic thinking should have focused more on these kinds of big problems that have business

    Requires Free Membership to View

implications, because as we all know, business is typically what suffers when you have a security incident. I knew legacy applications were vulnerable to the kind of command-execution and client-side attacks we are seeing today, and you probably did too. Have we just been too focused on Patch Tuesday vulnerabilities or the latest vulnerability assessment results? When did application security show up on your Top 5 list of things to worry about? Think about it--we've known about the problem of protecting personally identifiable information for years, but when did it be-come your No. 1 priority?

I think times are changing in most business circles, and hopefully security is finally being appreciated as being business critical. Perhaps not always happily, but recognized nonetheless, due to the growing regulatory environment, increasing requirement to protect intellectual property--and in the government sector, the need to guard our citizens' perception that we are protecting their personal information. So while it takes a degree of boldness to look into the future, I believe CISOs neglect true strategic planning at their peril because real success is impossible without the road map a strategic plan provides.


On the iPod: Andrea Bocelli and Il Divo for quiet times; Warren Zevon, Green Day and Eminem for running and working out. Big Jimmy Buffett fan too.

my famous boss
Appointed by Gov. Arnold Schwarzenegger to the newly created Office of Information Security and Privacy Protection.

security heros
Alan Paller of the SANS Institute and Alfred Ouyang of MITRE Corp.

last vacation
White water rafting in Colorado, where he also competed as part of a team that ran the 195-mile Wild West Relay race.


This was first published in October 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: