Opinion: Military security legacy is one of innovation, integrity

By Norman Beznoska Jr., Contributor 06 Apr 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

As a veteran of the U.S. Navy, I have become accustomed to seeing our military denounced by Al Jazeera and The New York Times, but not in the pages of our information security journals and periodicals. That is, until now.

Jay Heiser, a columnist for Information Security magazine and vice president with research firm Gartner, in a recent column saw fit to blame all the ills and failed security projects of corporate America on our military. Even going so far as to make the ridiculous statement that "if we had developed a business approach that ensured transactions were genuine instead of a military approach that protected the secrecy of credit card numbers, ID theft wouldn't be an issue today."

With all due respect to Heiser, I don't ever recall the military "forcing" corporate America to adopt its security tools, practices and standards over my IT career, which spans some 40 years. Had it not been for the military, Rear Admiral Grace M. Hopper of the U.S. Navy and the CODASYL project, which finally adopted COBOL as an industry standard in 1960, we would still be wiring electromagnetic unit record boards and making punch card Christmas wreaths.

Let me take a moment and examine a few of the issues that really have made our corporations and information assets targets of opportunity and placed our personal data at risk:

• Was it the military or ChoicePoint that faxed personal financial records to a Third World thief operating out of a P.O. box at a Kinko's?
• Was it the military that "lost" several computer tapes containing millions of consumer records? (No, it was from Bank of America Corp., CitiGroup Inc. and Ameritrade Inc.)
• Was it the military that was responsible for the thefts of confidential student records -- including Social Security numbers and financial information -- from numerous major U.S. universities?
• Or, more recently, the March 23 theft of a laptop from Fidelity Investments in New York containing customer account data?

Since the early 1990s, I have been involved in all facets of IT security consulting and business development. I've heard a litany of excuses from corporate executives paying "lip service" to best security practices, tools and controls. For example, I've heard an executive say, "Of course we know security is important, but we have to roll out this application, which has a higher priority than conducting an enterprise-wide security review and vulnerability assessment." Is any project more important than ensuring the integrity of corporate and customer information assets?

Is any project more important than ensuring the integrity of corporate and customer information assets?

Or my favorite line, from a billion-dollar bank: "I'm sorry, but we can't afford to spend $25,000 for an IT security audit and vulnerability assessment." Oddly enough, that very same bank regularly outsources program code and financial records to foreign countries with nary a thought given as to who has access to those programs and code.

While many American companies impose stringent security and background checks on its employees, they rarely bother to do the same for foreign nationals, or even third-shift cleaning crews. In his book "Corporate Espionage," no less an authority than Ira Winkler pointed out how easy it is for felons to be hired to work on cleaning crews and fill those large gray trash barrels with a treasure trove of stolen laptop PCs and credit card reports.

According to the Electronic Crimes Task Force of the U.S. Secret Service, the greatest threat posed to corporate America today is from insiders and social engineers, not the military, Mr. Heiser. I could go on and on, but by now you get the picture.

In his book A Deficit of Decency, former U.S. Senator Zell Miller wrote a chapter entitled "Wimps and Warriors." In it, Miller said that at a time when the Warriors wanted to focus all our energy on the future, instead of the past, the Wimps preferred to point fingers, assign blame and wring their hands. Sound familiar?

Another opinion Counterintelligence and security specialist Michael Tanji says the military security mindset shouldn't be so quickly dismissed. Learn why.

Let us remember then that the branches of our military should still serve as an example of what corporations should do right when securing their information. In fact, it's critical that organizations not only learn from the military, but also work with them and other government entities including local law enforcement, the Secret Service or Department of Homeland Security.

Failure to do so will no doubt result in an alarming increase in security breaches and identity thefts, and may even lead to an digital Pearl Harbor of September 11 proportions, from which we, as a nation, may never recover.

Norman Beznoska Jr. is director of enterprise security at Infiniti Systems Group in Brecksville, Ohio.

Tags: IT Security Audits,  Enterprise Risk Management: Metrics and Assessments,  Information Security Policies, Procedures and Guidelines,  Information Security Jobs and Training,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT IT Security Audits Compliance strategy: How to become an internal IT auditor A guide to internal and external network security auditing Standards compliance does not equal sound information security risk management Tony Spinelli: Prioritize Information Security over Compliance How to prepare for a FERPA audit MasterCard increases PCI compliance requirements for some merchants How to select a set of network security audit guidelines How to write a risk methodology that blends business, security needs PCI compliance requirement 11: Testing Using IAM tools to improve compliance Enterprise Risk Management: Metrics and Assessments Perspectives: Pet information security risks Cloud computing in 2010: Be ready for risk management challenges Security risk factors: Business partner security and pandemic planning GRC customers point to better efficiency, convergence and consistency Schneier-Ranum face-off part 5: Security metrics How to detect and respond to money laundering How to justify information security spending on cloud computing Layoffs prompt insider threat fears, cybersecurity survey finds How to avoid Internet liability lawsuits Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way Enterprise Risk Management: Metrics and Assessments Research Information Security Policies, Procedures and Guidelines Schneier-Ranum face-off part 6: Audience questions Editor's Desk: Apathy and the Cybersecurity Coordinator Writing security policies using a taxonomy-based approach How to detect and respond to money laundering Health Net breach failure of security policy, technology How to protect distributed information flows Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary