Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

View Point

Symantec Snub
In response to Dennis Fisher's "Symantec 2.0" (November 2006), I think that Symantec is losing market share (at least my small part of it)--not gaining it--due to its acquisitions. The company is doing too much not well enough.

I'd been a user and a fan of many of its enterprise products for over 12 years, now I'm switching to others as fast as I can. I used to use three of its main products--Veritas Backup Exec, Enterprise Antivirus and Security Gateway appliances. Now, we've solved user problems by removing the Symantec products and putting in Sophos; users are raving about how much faster their PCs are and how many fewer issues they've had to deal with.

You think the Symantec transformation was a good one? Maybe from somewhere high above the forest, it does look pretty. Down here in the trees, though, it's pretty ugly.

Jim MacLachlan
Network administrator, The Shelter Group

Differing Opinions
In Bruce Schneier and Marcus Ranum's recent column "Do Federal Regulations Help?" (Face-Off, November 2006), the main disagreement seems to be over the utilization of economics and liability in factoring security risk rather than whether federal security regulations help keep things secure.

Both perspectives describe federal security regulations as "the devil is in the details" or "a toothless, paper tiger," and both are correct. The problem with federal security regulations is that they are open to too much interpretation, and we all know that between two security pros there are always three opinions. In an ideal world, IT security would be implemented for the good of all concerned regardless of cost, but we know that is simply not the case.

At the same time, security professionals need to push for every bit of reasonable security we can get and therefore bring up issues that cannot be cost-justified on a case-by-case basis. We also need to participate in the development of federal security regulations including new laws, standards and guidelines.

The computer security resource center at the National Institute of Standards and Technology has done an excellent job of soliciting the feedback of security professionals, and practically all congressmen and senators have email and feedback pages. Let's take the time and use them. As we all know, in security "the devil is in the details," therefore if we want to put teeth in federal regulations we need to participate in the process. If enough people complain, changes will happen.

I'm sure everyone has something of value to provide.

Sortiris Baxevanis
CISSP Technical officer, UniSpec Enterprises

Although Schneier and Ranum raise valid points about the merits of their approaches to improving information security, I think Ranum's is less practical. The main problem is that federal regulations are notoriously slow and difficult to develop. In information security, where the threats are often impossible to anticipate, this is a fatal flaw.

Intuitively speaking, one can give a blanket liability statement that would cover (nearly) all possible misuses of information, but cannot define an equally broad regulatory statement with sharp teeth. The broader the regulation, the weaker the meaning,the duller the teeth.

To sharpen a regulation's teeth, we must narrow its scope, but that shortens its lifespan. The last thing we want is too many new versions of the Kansas horse laws in our federal books.

Apostol Vassilev
President and CEO, NetIDSys

Article 11 of 16

Dig Deeper on Government information security management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All