The Elephant in the IT Security Room That No One's Talking About

IT Security Management / September 4, 2011 / by Dave Tyson

As I sit up late this evening, on the 1st day after my 47th birthday it strikes me…after searching the internet and begging my peers and colleagues for the answer, we still just don’t get it. The world of business is passing us by and we keep making excuses……

When I got into IT security in 1999 we were fighting viruses and spam and patching and employee awareness, etc. Now in 2011 we're fighting:

  • Viruses, except we call them APT now
  • Spam delivery of malware, except we call it Spear phishing
  • Oh yes, and patching and employee awareness……..

What have we achieved?

Breaches are at an all time high and security is now on most senior leadership team’s agendas. Yet, we still solve for this at a sub optimal rate in most cases.

I have seen some extraordinary security leaders, but they are the rarity, most of those who I have interacted with are interested in solving only the tactical problem based on the latest technology or threat. This will always be a game of catch up as the bad buys are just better resourced and funded and their job is a one-to-many situation, while ours is a many-to-one…the odds are against us too much to play whack a mole all day.

I used to say that any company I went into, a skilled white hat could get into, but always assumed that would change at some point, however no matter how much we rant to each other at conferences, it doesn’t change. Maybe we should agree that ranting to each other dressed up as information sharing is not the solution…

Don’t get me wrong, I believe information sharing is one of the most critical tools we have in our arsenal, but let’s be sure it really is sharing useful information! Not just another group who get together and discuss the problem with no solutions forthcoming.

We need to become better at making cogent, business focused arguments based on real security intelligence that drives us to focus on and mitigate real security risk in our business units….not the peanut butter spread approach of the past but the new approach that decomposes risk BU by BU, and recognizes that different BUs have different security risks.

A very wise person told me recently that breaches are just going to happen…but it’s how you deal with them that matters. Bob said to me, “look the chief legal counsel doesn’t say to leadership ‘we won’t get sued,' he says, ‘we will reduce the risk of suit and respond well to minimize the impacts.'”

This is how we must think about the problem until we get better at securing the assets. Leadership needs to understand the truth about our position, for too long we have been silenced by politics or reporting to the wrong person in the organization.

It's time to move on from security theatre, as Mr. Schneier is so fond of saying, and begin to really take the fight to the board room, but in a language they care about. THOUGHTS?


Scroll to Top