Security Pros Bemoan Need for Tactical Focus
More proactive initiatives fall by the wayside, conference attendees say
Computerworld - WASHINGTON -- Operational and tactical considerations continue to dominate the IT security agenda, despite a growing need for more strategic approaches to data protection, said attendees at the Computer Security Institute's annual conference here last week.
Contributing to the status quo is a troubling lack of communication between security organizations and business units as well as the challenges of dealing with an increasingly complex environment of threats to IT systems, security managers said.
"We're still fighting a lot of yesterday's battles," said Fred Trickey, information security administrator at Yeshiva University in New York.
Reacting to Threats
Instead of focusing on ways to make IT security an enabler of business initiatives, security managers are spending far too much time dealing with unreliable code and chasing the latest viruses, worms and spyware, Trickey lamented.
"We've no choice," he said, adding that many IT security staffs don't have the resources or management support they need in order to become more proactive.
Tony Spinelli, vice president of information security at First Data Corp.'s merchant services group in Hagerstown, Md., agreed that security initiatives have to be about more than just mitigating threats.
But Spinelli said he thinks that a lack of understanding of business needs on the part of security managers is a big source of the problem.
"What's really needed is more of a strategic planning process that involves business executives and technologists," Spinelli said. Instead, security managers all too often offer "nothing by way of a long-term strategy" for IT security, he added.
Security practitioners need to learn to speak the language of business users and try to understand the kinds of problems they're facing, according to Roger Fradenburgh, a consultant at Greenwich Technology Partners Inc. in Boston.
For example, working with the business side to classify data and prioritize it according to the level of protection it needs is a good way for security staffs to demonstrate their value and deliver a tangible return on investment, Fradenburgh said.
But he added that the continuing failure of many security managers to communicate in such a fashion has created a perception among end users that IT security is an impediment to business. "In a lot of situations, business people look at the security people as purveyors of fear who are always saying that the sky is falling," Fradenburgh said.
Changing business requirements and the growing complexity of threats can keep security managers tied to operational and tactical tasks even if they would prefer to focus on broader challenges, said Terri Curran, director of information security at Bose Corp. in Framingham, Mass.
Curran and other conferenceattendees noted that their focus is limited because they're being pinned down by mounting regulatory requirements and because they're facing an increase in the number of opportunities for attacks fostered by the adoption of technologies such as wireless LANs and Web services applications.
"The complexity of the day-to-day world is increasing by leaps and bounds," said Joseph Popinski, director of network security at Information Engineering Inc., a security consulting firm in Huntsville, Ala. "You can get very bogged down in the operational stuff."
For instance, issues such as network access control, intrusion detection, network operations and help desk functions can take up much of a security staff's working hours, said Popinski.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts