Home > Information Security Magazine > Columns > Ping: Robert Garigue
EMAIL THIS
Information Security Magazine

  CURRENT ISSUE  
  FEATURES  
  COLUMNS  
  HOT PICK & PRODUCT REVIEWS  
  ARCHIVES  
  SUBSCRIBE/RENEW  
  

Ping: Robert Garigue
by Bill Brenner
Issue: Jul 2006
printer-friendly

Robert Garigue may be less than six months into a new industry as Bell Canada's chief security executive, but that doesn't mean the security playbook that served him well as CISO for the Bank of Montreal has to be scrapped. Most threats and best practices are universal, and security philosophies can be carried from job to job.

In switching business sectors, which threats have carried over? Much of what's happening now is geared toward identity theft, and the threat [is a problem] for any business sector. Criminal focus has moved away from technology and toward the business model as the weakest link. Phishing and Trojans are used to capture passwords and access accounts; this attacks the trust mechanism of a business model as opposed to attacking the technology.

How has the security response changed as a result? Initially the [threat focus] was on the networks, and the response was about access control lists and firewalls. Then, operating systems became the focus, and the response was intrusion detection systems and patch management. Now the focus is on the applications, and the response is ID management.

What should security pros focus on when planning for the future? Organizations will control less and less of their infrastructure. When you don't control the infrastructure anymore, ...



like in a mobile environment, you need to focus your efforts on how to protect content. It will all be about digital rights management.

Phishing is a popular weapon among identity thieves. Are security tactics changing to deal with this kind of threat? Financial institutions in Canada won't send marketing information with an active link in the page because that's what the phishers do. The word going out to customers is, "We won't link." If a customer sees a link in a message, they now know it's not really from the bank. At present, social engineering is a problem because people don't offer enough credentials for a transaction. There needs to be more "trust but verify." We can require people to answer a shared secret. There can be multiple questions that people have to answer.

Are there universal best practices a security pro can take from one job to the next? First, remember that education, awareness and executive support are vital to deal with these threats. Make sure you are locking down routers and hardening servers, and that the proper monitoring and response mechanisms are in place. Make sure your security processes address threats at the network, computing, application and content layers.w

Read the complete interview with Robert Garigue at searchsecurity.com/ismag.





TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts