Security Pros Bemoan Need for Tactical Focus
More proactive initiatives fall by the wayside, conference attendees say
Computerworld - WASHINGTON -- Operational and tactical considerations continue to dominate the IT security agenda, despite a growing need for more strategic approaches to data protection, said attendees at the Computer Security Institute's annual conference here last week.
Contributing to the status quo is a troubling lack of communication between security organizations and business units as well as the challenges of dealing with an increasingly complex environment of threats to IT systems, security managers said.
"We're still fighting a lot of yesterday's battles," said Fred Trickey, information security administrator at Yeshiva University in New York.
Reacting to Threats
Instead of focusing on ways to make IT security an enabler of business initiatives, security managers are spending far too much time dealing with unreliable code and chasing the latest viruses, worms and spyware, Trickey lamented.
"We've no choice," he said, adding that many IT security staffs don't have the resources or management support they need in order to become more proactive.
Tony Spinelli, vice president of information security at First Data Corp.'s merchant services group in Hagerstown, Md., agreed that security initiatives have to be about more than just mitigating threats.
But Spinelli said he thinks that a lack of understanding of business needs on the part of security managers is a big source of the problem.
"What's really needed is more of a strategic planning process that involves business executives and technologists," Spinelli said. Instead, security managers all too often offer "nothing by way of a long-term strategy" for IT security, he added.
Security practitioners need to learn to speak the language of business users and try to understand the kinds of problems they're facing, according to Roger Fradenburgh, a consultant at Greenwich Technology Partners Inc. in Boston.
For example, working with the business side to classify data and prioritize it according to the level of protection it needs is a good way for security staffs to demonstrate their value and deliver a tangible return on investment, Fradenburgh said.
But he added that the continuing failure of many security managers to communicate in such a fashion has created a perception among end users that IT security is an impediment to business. "In a lot of situations, business people look at the security people as purveyors of fear who are always saying that the sky is falling," Fradenburgh said.
Changing business requirements and the growing complexity of threats can keep security managers tied to operational and tactical tasks even if they would prefer to focus on broader challenges, said Terri Curran, director of information security at Bose Corp. in Framingham, Mass.
Curran and other conferenceattendees noted that their focus is limited because they're being pinned down by mounting regulatory requirements and because they're facing an increase in the number of opportunities for attacks fostered by the adoption of technologies such as wireless LANs and Web services applications.
"The complexity of the day-to-day world is increasing by leaps and bounds," said Joseph Popinski, director of network security at Information Engineering Inc., a security consulting firm in Huntsville, Ala. "You can get very bogged down in the operational stuff."
For instance, issues such as network access control, intrusion detection, network operations and help desk functions can take up much of a security staff's working hours, said Popinski.
Read more about Security in Computerworld's Security Topic Center.
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!