Security Pros Bemoan Need for Tactical Focus
More proactive initiatives fall by the wayside, conference attendees say
Computerworld - WASHINGTON -- Operational and tactical considerations continue to dominate the IT security agenda, despite a growing need for more strategic approaches to data protection, said attendees at the Computer Security Institute's annual conference here last week.
Contributing to the status quo is a troubling lack of communication between security organizations and business units as well as the challenges of dealing with an increasingly complex environment of threats to IT systems, security managers said.
"We're still fighting a lot of yesterday's battles," said Fred Trickey, information security administrator at Yeshiva University in New York.
Reacting to Threats
Instead of focusing on ways to make IT security an enabler of business initiatives, security managers are spending far too much time dealing with unreliable code and chasing the latest viruses, worms and spyware, Trickey lamented.
"We've no choice," he said, adding that many IT security staffs don't have the resources or management support they need in order to become more proactive.
Tony Spinelli, vice president of information security at First Data Corp.'s merchant services group in Hagerstown, Md., agreed that security initiatives have to be about more than just mitigating threats.
But Spinelli said he thinks that a lack of understanding of business needs on the part of security managers is a big source of the problem.
"What's really needed is more of a strategic planning process that involves business executives and technologists," Spinelli said. Instead, security managers all too often offer "nothing by way of a long-term strategy" for IT security, he added.
Security practitioners need to learn to speak the language of business users and try to understand the kinds of problems they're facing, according to Roger Fradenburgh, a consultant at Greenwich Technology Partners Inc. in Boston.
For example, working with the business side to classify data and prioritize it according to the level of protection it needs is a good way for security staffs to demonstrate their value and deliver a tangible return on investment, Fradenburgh said.
But he added that the continuing failure of many security managers to communicate in such a fashion has created a perception among end users that IT security is an impediment to business. "In a lot of situations, business people look at the security people as purveyors of fear who are always saying that the sky is falling," Fradenburgh said.
Changing business requirements and the growing complexity of threats can keep security managers tied to operational and tactical tasks even if they would prefer to focus on broader challenges, said Terri Curran, director of information security at Bose Corp. in Framingham, Mass.
Curran and other conferenceattendees noted that their focus is limited because they're being pinned down by mounting regulatory requirements and because they're facing an increase in the number of opportunities for attacks fostered by the adoption of technologies such as wireless LANs and Web services applications.
"The complexity of the day-to-day world is increasing by leaps and bounds," said Joseph Popinski, director of network security at Information Engineering Inc., a security consulting firm in Huntsville, Ala. "You can get very bogged down in the operational stuff."
For instance, issues such as network access control, intrusion detection, network operations and help desk functions can take up much of a security staff's working hours, said Popinski.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts