What CXOs consistently fail to grasp about enterprise security

Posted on August 19, 2010


During eWorld I will be hosting a Roundtable discussion on Outsourcing focusing on key areas such as “Security in the Cloud.”

Joining 30 plus year public sector veteran and the author of the seminal “Towards Tesco – improving public sector procurement” paper Colin Cram as a member of the guest panel will be Richard Stiennon.

Stiennon, who is a holder of Gartner’s Thought Leadership award and was also named “one of the 50 most powerful people in Networking” by Network World Magazine is the author of the critically acclaimed book Surviving Cyber War.

As a lead up to the broadcast, the following is an excerpt of the August 9th post from Richard’s ThreatChaos.com Blog titled”What CXOs consistently fail to grasp about enterprise security.”

“The UK’s most comprehensive business forum for eProcurement, eSourcing and Supply Chain Technologies”

IT security is often a nagging thorn in the side of enterprises and those that lead them. It is viewed as a technical issue that should just be fixed. In this week’s lecture track on security that I delivered for Internet Evolution’s 60 Days of Executive Education I started off with three things that CXOs consistently fail to grasp about enterprise security.
Good security operations is not the same as good security. Every organization that uses computers has to deal with the mundane daily tasks of identifying and blocking malware, keeping and reviewing logs, generating reports, and demonstrating compliance. Many organizations that I talk with are great at the operational tasks. They have deployed technology that helps them patch and manage end points, generate reports, and keep the audit teams happy. But, there is a lot more to being secure than doing these tasks well. Let me start with defining good security. From my Focus Note on the subject:

1. A secure network assumes the host is hostile

It has been years since a firewall that enforces policies based only on source-destination-service has been sufficient. Trusted end points harbor malware, are controlled by attackers, and are launching points for attacks. Network security solutions must be in-line and inspect all the traffic that passes through them. They must look for viruses, worms, exploit traffic, and even unusual behavior. IDC dubs these solutions “complete content inspection” firewalls. Many vendors refer to them as UTM, Unified Threat Management

One aspect of a secure network that is often overlooked is that the computers on the inside of the network are often the danger. It could be an infected computer brought in by an employee or contractor; it could be a poorly patched server that has been compromised by an outside attacker. Even the smallest organizations have to invest in network security solutions to block attacks from devices on the inside of the network. This is accomplished through network segmentation and deploying content inspection capabilities internally. As threats multiply watch for solutions that either sit on top of the access switch or incorporate the switch in their configuration.
2. A secure host assumes the network is hostile

This is another way of stating the requirement for a layered defense model. A laptop, desktop, or server cannot rely on the network to keep it safe. AV, firewalls, and anti-spyware solutions have to be installed and up-to-date. Patches for critical applications and OS have to be installed as quickly as possible. Browsing shields should be turned on and Microsoft IE should not be used if at all possible.

3. Secure applications assume the user is hostile

This is where authentication and authorization come in to play. One of the best deterrents of malicious behavior is the end user’s awareness that their actions are associated with them (strong authentication) and logged (behavior monitoring). Many online services have failed to protect themselves from their customers. This applies to internal file sharing and community services as well.

Use the following link to access the entire post to find out “Why security investments never end.”

Richard’s Book:

This book examines in depth the major recent cyber attacks that have taken place around the world, discusses the implications of such attacks, and offers solutions to the vulnerabilities that made these attacks possible. Through investigations of the most significant and damaging cyber attacks, the author introduces the reader to cyber war, outlines an effective defense against cyber threats, and explains how to prepare for future attacks.

Remember to use the following link to tune into the On-Demand “Surviving Cyber War” with Richard from May 7th, 2010.

NOTE: This post also appears in the Essential Connections Blog