Bright ideas

Last month Information Security held its fall conference, "Information Security Decisions." Don't know about you, but I've always looked upon professional conferences as accelerated learning programs. You can learn a lot from books, magazines and Web sites, but there's simply no substitute for the full immersion of a good conference or workshop. What makes conferences work, I think, is the ongoing dialogue. The more engaged you are, the more you're able to apply what you've learned back at the office.

So, at the risk of looking like a lackey for our own conference, here are some bright ideas from speakers at last month's event.

Anish Bhimani, VP of IT Operational Risk, JPMorganChase: "It took me a while to figure out that a strong partnership between IT security and audit can be incredibly powerful. On the one hand, audit's job is to point out your problems-and the more you do, the harder they look for something you're not doing.

"On the other hand, you could think of audit as having a giant searchlight. Unlike security, they have the ability to say, 'Look over here, there's a real fundamental problem. Nothing's getting done about it.' And that is a very powerful stick. Audit gives security the teeth it needs, as well as the support to do something about it. And the environment gets better."

Historically, security and audit have been like oil and water: both are liquids, but they don't mix well together. As organizations come under increasing regulatory pressure, security and audit must team up to form an effective "carrot and stick" combination.

Bill Boni, CISO of Motorola: "Being a CISO is like being a consulting physician. I say to the business side, 'Here's my diagnosis. Here's what you need to do to improve your health.' But you know what? It's ultimately their body. They choose whether to follow my advice. My job is to bring them accurate and timely information on their condition. It's up to them to make a healthy choice."

Boni's analogy reminds us that infosecurity professionals don't own the information. They're the information caretakers, charged with writing a prescription for organizational health. However, a patient can't get well if he doesn't take his medication.

Eugene Spafford, executive director of Purdue University's CERIAS: "A lot of people talk about the Internet as a Wild West frontier, with ongoing battles between the cowboys and Indians. A CEO once opened my eyes to a different way of thinking. He said, 'Look, it's not about circling the wagons. It's about getting your wagon train over the pass safely.'"

Robert Garigue, CISO of the Bank of Montreal: "We're moving away from the infrastructure-centric organization and toward the info-structure-centric organization. Infrastructure-centric security values the containers; they focus on protecting the containers so they don't leak. Info-structure-centric security values content; they focus on the process of transforming content into knowledge. In the future, security will no longer own the containers, but we certainly are going to be accountable for the content."

Security controls have evolved from the perimeter to the core and, lately, to the operating system and application. The future challenge will be roles and content. Role-based access control must become more granular-from the group- and application-level down to the data itself. And we must institutionalize a process for classifying and tagging all information. As the distinction between outside and inside the organization vanishes, the ability to assert data-level access control will be the difference between security and insecurity.

About the author
Andrew Briney, CISSP, is editor-in-chief of Information Security magazine and editorial director of the TechTarget Security Media Group.

Note: This column originally appeared in the August issue of Information Security magazine. Register for your free subscription.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Enterprise Risk Management: Metrics and Assessments,   Information Security Management,   Guest Commentary,   Security Audit, Compliance and Standards,   IT Security Audits,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Enterprise Risk Management: Metrics and Assessments How to detect and respond to money laundering How to justify information security spending on cloud computing Layoffs prompt insider threat fears, cybersecurity survey finds How to avoid Internet liability lawsuits Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way Bernie Rominski: Communicate Effectively with Management about Risk Best Policy and Risk Management Products Monitoring program data and internal controls for risk management Risk management strategy for an information technology solution provider Align your data protection efforts with GRC Enterprise Risk Management: Metrics and Assessments Research Guest Commentary Google hacking exposes a world of security flaws Eliminating the threat of spam email attacks Outsourcing IT services: Is it worth the security risk? How permanent is your storage solution? Honeypots can strengthen reconnaissance and lower intrusion noise Freedom of speech or lack of professional responsibility? This year compliance, next year control Senior security member explains his position on Abagnale Computer Security Institute's leader responds to Abagnale flap Spokesman or poster child? IT Security Audits Standards compliance does not equal sound information security risk management Tony Spinelli: Prioritize Information Security over Compliance How to prepare for a FERPA audit MasterCard increases PCI compliance requirements for some merchants How to select a set of network security audit guidelines How to write a risk methodology that blends business, security needs PCI compliance requirement 11: Testing Using IAM tools to improve compliance Forensic accounting success depends on information security support HIPAA compliance: New regulations change the game RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.