Infosecurity - Nov/Dec 2006 - 2007 preview: What's rollin' round the bend?

In partnership with:

November/December 2006 issue

2007 preview: What's rollin' round the bend?

Back to Q1

2. Has compliance been too much of a driver in this market, to the detriment of real security?

Adrian Asher, Global Head of Security, Betfair
Compliance with governments requirements (SoX for example) and also regulators has caused a very direct directional change for some vendors, but more worryingly some security professionals. When sales 'droids start warning of the implications of not purchasing their method of showing conformance to a hugely time-consuming accreditation process, people could be forgiven for acquiescing to these, sometimes very expensive, demands.

However it is only through open dialogue between the regulators and businesses that a better solution can emerge, which I certainly believe, has to be that of a risk based methodology.

Forcing endless logs to be reviewed, IDS solutions to be in place to require ticked boxes, only goes to hurt the businesses view of information security. When the business starts to equate the needs of the information security to that of complying with a standard or attaining a license, it devalues the real benefits that security provides. Security, whilst being able to enable a business to be licensed or compliant, has to provide more than this, else we will become complacent in our solutions to problems, against an ever creative and free from attacker.

Brian T. Contos, CISSP, CSO ArcSight
A couple of years ago, compliance was creating a lot of motion but no solutions. However, it has matured, and its maturity can now be seen by organizations addressing perimeter threats, insider threats and compliance through a centralized solution. There is a lot of overlap between security and compliance, and they can help enable one another’s success if they are leveraged in tandem. I think addressing them separately will waste resources and lessen the effectiveness of both the compliance and security programs.

Leo Cronin, CISO, Reed Elsevier
This is a tough one. I do think regulations such as SOx, PCI and data breach notification have helped the industry to focus back on the data, which is a very good thing. The difficulty I have with the current regulatory landscape is that it is vague, parochial and driven predominantly by consultants with inconsistent views on what controls really matter. I think as a profession we need to provide a better voice into the regulatory process and hold our consultants accountable for focusing on risk and the security threats that actually matter.

Robert Gleichauf, VP and CTO, Security Technology Group, Cisco
Compliance has clearly caused companies to pay more attention to security. This has been both good and bad. On the positive side, it has led many companies to focus on security issues they otherwise would have put off. So this is a good thing for customers and industry segments as a whole, such as healthcare and the financial sector. But at the same time, some of these regulations have led to behaviors that actually make for less secure, more brittle infrastructure.

For example, many companies are encrypting their data in their data centers and during transit from the data center onto client devices. These actions do help companies comply with requirements for data confidentiality and integrity. But this type of requirement-based security without a proper understanding of the systems issues can have serious side effects. Encrypting data in these ways does not address the real problem of data loss that typically occurs on client devices, and it can actually make it more difficult to detect when a virus or worm has infiltrated internal networks.

Paul Henry, Secure Computing
Prior to the establishment of current regulations, commercial enterprises had little if any financial incentive to secure their networks. Effectively they were willing to roll the dice by protecting their networks with policy statements and little if any underlying technical safeguards. Our personal information and/or their own intellectual property were being put at risk in order to return additional value to their shareholders. Any potential benefit in taking these extraordinary risks has been erased with penalties for failing to meet regulatory requirements. Today the financial incentive of penalties is effectively moving network security from the deficit column of the balance sheet to the asset column and we see this as a benefit to network security overall.

Much more work is needed in the regulatory environment to eliminate the vagueness of requirements to minimize the issues of enforcement: i.e., the courts over simplifying and/or subjective interpretation of regulations. Who can forget the Judge in the Gramm Leach Bliley inspired case that determined that the personal data exposure related directly to the laptop having been stolen from the employees home, which contained unencrypted personal data that was not required to have been encrypted because the employee lived in a low crime area? In closing on this question, compliance has made the establishment of a baseline for security a mandatory requirement.

Evan Kaplan, CEO Aventail
Overall, compliance is a good thing and what regulations ask for is reasonable. Compliance has helped to push organizations to establish a baseline for security that encompasses issues of privacy, authentication, and data security. Most IT organizations don’t view compliance as onerous, but rather as a good baseline. They also realize, however, that they have to go beyond this baseline to get to really substantial security.

Tom Noonan, General Manager, IBM Internet Security Systems
Compliance has historically been a market driver, but the industry is seeing a shift away from specific compliance spending to more of a focus on business intelligence and risk management. Many enterprises have passed their first round of security audits, and therefore are not feeling the same compelling drivers for further spending on compliance tools. However, the risk environment continues to become increasingly complex, and the market is looking for tools to streamline the analysis and impact of risk on the business. Advanced reporting for business intelligence and decision making purposes is a more productive offshoot of the past compliance activities.

Hugh Penri-Williams, Chairman of the Information Security Forum
Like Y2K before it, the current spate of compliance-fuelled initiatives runs the risk of a backlash from senior management when the dust has settled. That would seriously imperil the many other ‘real’ security needs that continue to confront us. Back then, many of my professional colleagues in IS audit & control had hoped that Y2K would permanently put business continuity management on the corporate imperatives map. Instead, the sterling efforts of truly multidisciplinary corporate teams backfired and many IS budgets – especially their security component - went into relative decline, some to this day. Lest anyone be under the wrong impression, the objective of this type of ‘compliance is not ’security’. What better proof than that SOX doesn’t even address BCM!

Paul Simmonds, CSO, ICI
Yes, compliance, especially SOX, has some reward in improving good business practice, but the ROI is small.

Alex van Someren, CEO nCipher
Compliance will always lag behind actual risk; laws only get written when attacks or breaches reach unacceptable limits. Those that take a proactive approach to security stay ahead of the compliance curve. Compliance just brings the mainstream into line and that’s now happening with encryption, for example.

3. Do you see IT security becoming operationalized to the extent that information security professionals will (have to) play a more strategic role in their businesses?

Features index