Last month Information Security held its fall conference, "Information Security Decisions." Don't know about you, but I've always looked upon professional conferences as accelerated learning programs. You can learn a lot from books,
So, at the risk of looking like a lackey for our own conference, here are some bright ideas from speakers at last month's event.
Anish Bhimani, VP of IT Operational Risk, JPMorganChase: "It took me a while to figure out that a strong partnership between IT security and audit can be incredibly powerful. On the one hand, audit's job is to point out your problems-and the more you do, the harder they look for something you're not doing.
"On the other hand, you could think of audit as having a giant searchlight. Unlike security, they have the ability to say, 'Look over here, there's a real fundamental problem. Nothing's getting done about it.' And that is a very powerful stick. Audit gives security the teeth it needs, as well as the support to do something about it. And the environment gets better."
Historically, security and audit have been like oil and water: both are liquids, but they don't mix well together. As organizations come under increasing regulatory pressure, security and audit must team up to form an effective "carrot and stick" combination.
Bill Boni, CISO of Motorola: "Being a CISO is like being a consulting physician. I say to the business side, 'Here's my diagnosis. Here's what you need to do to improve your health.' But you know what? It's ultimately their body. They choose whether to follow my advice. My job is to bring them accurate and timely information on their condition. It's up to them to make a healthy choice."
Boni's analogy reminds us that infosecurity professionals don't own the information. They're the information caretakers, charged with writing a prescription for organizational health. However, a patient can't get well if he doesn't take his medication.
Eugene Spafford, executive director of Purdue University's CERIAS: "A lot of people talk about the Internet as a Wild West frontier, with ongoing battles between the cowboys and Indians. A CEO once opened my eyes to a different way of thinking. He said, 'Look, it's not about circling the wagons. It's about getting your wagon train over the pass safely.'"Thinking about security in terms of good guys vs. bad guys misses the larger picture: Security is about ensuring that the company is comfortable with its level of risk during times of both low and high exposure.
Robert Garigue, CISO of the Bank of Montreal: "We're moving away from the infrastructure-centric organization and toward the info-structure-centric organization. Infrastructure-centric security values the containers; they focus on protecting the containers so they don't leak. Info-structure-centric security values content; they focus on the process of transforming content into knowledge. In the future, security will no longer own the containers, but we certainly are going to be accountable for the content."
Security controls have evolved from the perimeter to the core and, lately, to the operating system and application. The future challenge will be roles and content. Role-based access control must become more granular-from the group- and application-level down to the data itself. And we must institutionalize a process for classifying and tagging all information. As the distinction between outside and inside the organization vanishes, the ability to assert data-level access control will be the difference between security and insecurity.
About the author
Andrew Briney, CISSP, is editor-in-chief of Information Security magazine and editorial director of the TechTarget Security Media Group.
Note: This column originally appeared in the August issue of
Information Security magazine. Register for your free subscription.
This was first published in November 2004