Talk to upper management about security

Security Strategies This newsletter is sponsored by Nevis Networks Webcast: Cut Through NAC Hype Over the past few years, network access control has evolved to encompass a mlange of endpoint security compliance, malware detection, access control and authentication products with very different focuses. Cut through the hype and confusion to find real-world NAC answers. Network World's Security Strategies Newsletter, 07/05/07 Talk to upper management about security By M. E. Kabay Steven Zeligman is a graduate student of the Norwich University MSIA program who strode proudly across the stage in June to accept his diploma. He sent me his final essay of the Detection, Response and Hot Topics seminar a while back; I hope you enjoy his thoughtful comments about management perspectives on the growing cybercrime problem. What follows is Zeligman’s own text with some of my edits and a personal coda from me. We’ve included a Further Readings section at the end of the article with entries corresponding to the numbers in square brackets. * * * Will business and government respond rationally to cybercrime news? Or will we continue to see reports of inadequate funding for information assurance (IA) and national security across government agencies and corporations? [1] Get Everyone from the CEO to the MySpace Generation to Support Your Security Plans. September 10-11, 2007 | The Fairmont Chicago How do you get everyone from the boardroom to the mailroom to comply with your security initiatives? Come collaborate with peers on critical business topics like this at The Security Standard-the only business summit for senior security executives. For the latest in planning and management strategies. Click here for more details. Click here for more details Sometimes it seems as if the information age has made the number of bad people increase exponentially - we hear more and more about the involvement of organized crime rings in computer crime today. [2] However, I doubt that there are any more malicious individuals than there were before the Internet existed; we just hear more about what the bad guys are doing and how they are accomplishing their misdeeds because of increases in the speed and distribution of information. Developing and implementing technical, administrative, and physical security countermeasures is a cost of doing business that subtracts directly from a company’s short-term bottom line. If a company’s senior managers do not understand the justification for incurring security expenditures, they won’t fund security. Generally speaking, the managers of traditional brick-and-mortar companies understand the need to invest in _physical_ security controls better than they grasp the value of IA. Similarly, most individuals are well aware of how to protect themselves against theft and assault, but they are less likely to resist phishing, Trojans and other computer-mediated attacks. Many business people have no awareness at all of simple IA measures such as avoiding discussions of confidential matters on cell phones while in public places. Many well-meaning people commit elementary blunders such as picking bad passwords or writing them down on sticky notes. Unfortunately some managers still don’t understand that information security needs to be integrated into their products and services in the design phase, not added later as an afterthought or as a belated response to a cyberattack. Businesses that store their clients’ personally identifiable information (PII) must accept that there is no precisely quantifiable return on investment for properly incorporating IA personnel and practices into how they do business. [3] Instead, they need to realize that having a good IA program is another form of insurance - a method of spreading risk through loss avoidance and loss mitigation - that has to have a high funding priority. The recent series on Veterans Affairs’ data losses should be warning enough of the potential liability of losing control over PII! Consumers should demand that companies properly safeguard their information by looking into privacy policies and expressing their displeasure at sloppy handling of PII. The media should continue to broadcast IA stories to raise security awareness levels and to provide practitioners with concrete examples of security issues with which to reach non-technical executives. IA professionals must continue to improve the availability, integrity, confidentiality, control, authenticity and utility of information. A growing number of highly skilled IT professionals are becoming IA specialists. [4] Some are educating the public by providing good information about effective IA practices; some are being hired by and educating businesses to improve information security within their products; some are in colleges and universities educating the next generation of IT professionals to think about security first. I think that there is hope for the future of IA as long as awareness, training and education continue to match the growth in offensive capabilities of our enemies. M. E. Kabay adds: In practical terms, I recommend that readers engage in discussion of IA with upper managers in their place of employment. In the MSIA program at Norwich University, students have to interview their colleagues throughout the 18 months of study, and it is an eye-opening experience that helps everyone, students and managers alike. Find out how your colleagues think (and feel) about IA throughout the organization. You may be surprised at how far you have to go to change ingrained attitudes about security in some circles; you may be surprised at the allies you can identify through personal contact. Such personal contacts could be useful not only in instituting corporate culture change about security, but also in long-term development of your own career. [5] * * * Steven Zeligman, MSIA, MCP, CISSP is a Senior System Analyst at Dataline, Inc., and has more than 15 years of experience in information technology and security. You are welcome to write to him mailto:steve@z-nets.com with comments on this essay. * * * For Further Reading [1] McCarthy, L. (2007). Don’t delegate security. Lowey, N. M. (2006). Lowey calls for immediate overhaul of department of homeland security national asset database: While New York's homeland security funds are significantly reduced, a popcorn factory and mule festival are categorized as top terrorist targets; Anonymous (2005). Virginia port bemoans lack of security funding; White, D. (2007). Teamsters testify to congress on lack of rail security funds, safety training. [2] _Symantec Internet Security Threat Report: Trends for January 06–June 06._ Volume X, Published September 2006 [3] Kabay, M. E. (2006): It’s hard to determine the ROI of information security measures.; Cybersecurity management, Part 4 ; ALEatory ALE [4] Norwich University MSIA Program; (ISC)^2 Career Guide ; SANS Technology Institute [5] Kabay, M. E. (2002). Social psychology and INFOSEC: Psycho-social factors in the implementation of information security policy. (PDF) or (HTML).   What do you think? Post a comment on this newsletter

TODAY'S MOST-READ STORIES: 1. iPhone launches and AT&T EDGE goes down 2. Hackers make progress towards unlocking iPhone 3. Top 25 'iPhonies' 4. The $2.3M home lab of Quadruple CCIE 5. The 7 Wonders of the Internet 6. Salary survey: Be a CSO and get rich 7. Lawyers show how to avoid hiring an American 8. iPhone buzz reaches to Microsoft's back yard 9. 10 things Apple did right and wrong with the iPhone 10. SAP admits to 'some inappropriate downloads' MOST READ REVIEW: Using Microsoft's OCS as a unified messaging platform

Contact the author: M. E. Kabay, Ph.D., CISSP-ISSMP, is Associate Professor of Information Assurance and CTO of the School of Graduate Studies at Norwich University in Northfield, Vt. Mich can be reached by e-mail and his Web site. This newsletter is sponsored by Nevis Networks Webcast: Cut Through NAC Hype Over the past few years, network access control has evolved to encompass a m�lange of endpoint security compliance, malware detection, access control and authentication products with very different focuses. Cut through the hype and confusion to find real-world NAC answers. ARCHIVE Archive of the Security Strategies Newsletter. BONUS FEATURE IT PRODUCT RESEARCH AT YOUR FINGERTIPS Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details. PRINT SUBSCRIPTIONS AVAILABLE You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today. International subscribers, click here. SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007