Tip

Infosec analysis and recommendations: Webcast Q&A with Jon Oltsik

In the SearchSecurity.com on-demand webcast Information security: Analysis and recommendations, speaker Jon Oltsik explores common security issues and suggests a series of recommendations to overcome these challenges based upon months of research. Jon is a founder and principal of

    Requires Free Membership to View

Hype-Free Consulting, a research and consulting firm.

Besides the technologies you mentioned in your presentation, which others are promising?

Personally, I like tools that help IT staff automate processes and operations. Patch management is an area that's bound to grow. Security best practices demand that IT keep up with current security patches, but how can you do this if you have 500 geographically dispersed Windows servers? IT managers will have to deploy patch management tools, or they will either be exposed to security vulnerabilities or overwhelmed with work. I also believe that Identity Management – the other IM – has great promise. Managing employee accounts on networks, applications and IT services just doesn't scale. There are too many manual processes that can fall through the cracks. Tools that automate the IM process are in an early stage, but I expect them to grow and prosper.


Can an organization be too secure?

Hmm, that's an interesting question. Security practices must be based upon a thorough risk assessment process. The key here is balance – apply security policies and technologies where they are most needed. It wouldn't make sense for a company to demand two-factor authentication or lock down its Web server unless these tactics are warranted. What I'm saying here is that it may not be possible for a company to be 'too secure,' but it is certainly possible to misappropriate security spending and lose focus.


In your research, did you hear any good or bad security stories you can share?

The scary thing about security is how many bad stories you hear. I heard about misconfigured firewalls. I heard about companies that rarely checked log files and others who had no idea what the log files said. I heard about IDS systems that gave out so many false positives that they were completely ignored. I remember one really smart director of operations telling me that when it came to security, his company was completely lost and lucky they hadn't been attacked. I heard a few good anecdotes, but I can honestly say that the horror stories were dominant. Very frightening.


Is security technology a good sector to invest in?

Well I'm not a financial analyst, but I do see growth in the sector overall. There will be a lot of consolidation and many failures but a few companies are bound to prosper.



For more information, visit these resources:

This was first published in June 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.