AOH :: ISNQ4755.HTM|
No Such Thing as Security "Best Practices"
No Such Thing as Security "Best Practices"
No Such Thing as Security "Best Practices"
Site design & layout copyright © 1986-2014 CodeGods
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Content-Type: TEXT/PLAIN; CHARSET=UTF-8
By Bob Violino
October 29, 2007
Linda Stutsman is managing director of the International Information
Integrity Institute. I-4, as it's known, was founded in 1986 by SRI
International (formerly Stanford Research Institute) to promote the
sharing of security-related information and help companies address
critical security issues. Operated by IT services company Getronics, I-4
works with its global members to explore security issues and identify
cost-effective solutions to security threats.
Before joining I-4 in June, Stutsman was senior vice president of
corporate information security at Bank of America, and previously served
as chief information security officer at Xerox. She spoke recently with
contributing editor Bob Violino about her experience in corporate IT
security, her role with the I-4 consortium and why she doesn't believe
in best practices.
Baseline: What do you see as the biggest threat to corporate information
and computing centers today?
The biggest threat is the same threat we've always had: It's not
unauthorized access to information=E2=80=94it's abuses of authorized access to
information. It's not a new threat, but there are new ways of abusing
that same access. I've been in this business for a very long time, and
25 years ago we didn't have to worry about employees taking pictures of
customer information with their cell phones. We didn't have to worry
about employees with USB drives on their key chains. There are new ways
of thinking about old threats. It's not just employees. This can be by
employees, customers, business partners or outsourcing partners who have
What can be done about abuses of authorized access? What are the best
technology and policy solutions?
Some companies are dealing with data leakage by more carefully limiting
the scope of authorized users on the policy implementation side, and on
the technology and process side by restricting methods of access, via
thin client, and by piloting digital rights management for controlling
usage=E2=80=94scaling continues to be an issue. There's more extensive access
monitoring, where legal or forensics have helped define patterns of
access to information, for example. It's a combination of people,
process and technology solutions.
What about information security threats from the outside? What are
organizations concerned about most right now?
There's a growing awareness of application-level vulnerabilities of
Internet-facing applications. Companies are investing in technologies
and processes to help applications people understand and correct the
problems in a timely manner.
On a broader scale, what are some of the key riskmanagement issues
facing organizations today?
I-4 is involved in risk-management issues across the board. Because of
the nature of the wide breadth of industries in I-4, it's the regulatory
environment that is one of the biggest issues. The landscape of
regulatory requirements is an immense challenge. It's just very tough
for businesses to keep up with the changing requirements. You have the
federal level=E2=80=94Sarbanes- Oxley is an example=E2=80=94and then multiple
state-level privacy laws and regulations. Then add in the industry
regulations such as HIPAA [Health Insurance Portability and
Accountability Act], and the global regulations such as the European
Union Data Directive and Basel [recommendations on banking laws and
regulations issued by the Basel Committee on Banking Supervision, an
institution created by the central bank governors of the G-10
Exactly what kind of security information sharing and problem solving
does I-4 handle?
We share case studies about experiences; I'm not going to say best
practices because I believe there are no best practices. We share
information about real life, practical security solutions. We share war
stories. We have select vendors come in and talk about their strategies.
We don't talk so much about products, but about thought leadership and
strategic visions. We also have [representatives from] universities come
in and talk about research, where they think security is going. We talk
about things that are happening today rather than focusing on older
threats and technologies. For example, we saw phishing as it was
happening because we had a member comment that his company was dealing
with it, almost in real time. We discussed solutions to phishing way
before the public first saw it.
How detailed are the discussions about specific security incidents?
Because we're a confidential group we can get down to a detailed
level=E2=80=94we're truly sharing useful information. Typically when it's a
public group you don't get down to a detailed level of discussion
because you don't know who you're sharing with. [In I-4] you're getting
data you can take back to your office and adjust to your own needs.
You're networking with other colleagues, and when you run across
problems you can call someone to help solve the problem.
Are there other examples, besides phishing, of security threats that I-4
members discussed before they were generally known?
I-4's history has many examples of topics introduced early in their
maturity cycle. I've spoken with some of the I-4 founders and they
actually talked about data protection in 1988, how to safely connect a
company to the Internet, how the Web would change the world, about the
disappearing perimeter in 1997, quantum computing and crypto in 2002 and
managing offshoring in 2003.
You mentioned a moment ago that there are no best practices in security.
Can you explain what you mean?
I don't believe in best practices.
"Best" is contextual. What is a best practice for one organization may
not be a best practice for another. In one industry it might be a best
practice but for another type of company it might not work or it might
be overkill. Members consider what their colleague organizations have
done that's new or different compared to what their own approach to
related situations has been and apply the thinking within their business
risk tolerances. I believe each company has to take the best of each
solution and customize it. There may a best practice within an industry
but it's tough to go across industries.
How do you plan to change I-4's focus, and what are your ultimate goals
for the organization?
It's really way too early for me to say right now. I'm in discovery
mode; I'm talking with members and working with the member advisory
committee. I'm listening, I'm asking questions. Any changes we make will
be thoughtful, and they will be member-influenced changes. I-4 has not
only survived for 21 years, but has thrived for 21 years. There's a lot
that's right with I-4, so any change will be very slow, purposeful,
strategic change. But again, it's way too early right now to tell what
that change will be.
Do you think your previous experience at Bank of America and Xerox will
help or hurt you manage a corporate security consortium?
It will absolutely help. My experience with information security in
general will help. I think the fact that I've been a member of I-4 will
also help. I'm aware of what I-4 is all about, and I think the fact that
I've been participating in I-4 for almost eight years will have an
impact. I've seen it evolve over those eight years and l've seen the
information security field evolve over the last 25 years. Also, coming
from two different industries, manufacturing and financial services,
gives me some good perspective.
How has the information security field evolved over the years? What have
been the biggest changes since you began working in the field?
The most important changes have been, on the technical side, the immense
growth of "connectedness" in all aspects of business processes and work
life, and on the management side, the recognition that information
security organizations and people work best when serving the business.
The security people are helping businesspeople understand the risks and
security implications of their plans and activities, and are helping to
secure those business processes within the risk environment.
During your tenure at Bank of America and/or Xerox, did either
organization experience a security breach? What happened, and how did
you or the organization respond?
Every organization at some time experiences some type of security
breach. But I can't really comment in detail on that. I wasn't part of
the investigative teams at either of those companies.
I can say that at Xerox it was more around early response to viruses and
being able to contain them and shut things down while we did cleaning
and prevented damage to our systems=E2=80=94 the emergency response team had to
deal with things like the Melissa virus.
Any advice about security for CIOs and CSOs?
I'd say treat information security as a business problem, not a
technology problem. It's a business problem because information is a
business enabler. My entire career has been spent [looking at
information security] that way. We are in the business of business, not
in the business of information security. If information security is
implemented correctly, you should be there to help support the business
goals. Information security should never be an end unto itself.
Copyright (c) 2007 Ziff Davis Media Inc.
Content-Type: text/plain; charset="us-ascii"
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com