Skip the navigation

Security Pros Bemoan Need for Tactical Focus

More proactive initiatives fall by the wayside, conference attendees say

November 15, 2004 12:00 PM ET

Computerworld - WASHINGTON -- Operational and tactical considerations continue to dominate the IT security agenda, despite a growing need for more strategic approaches to data protection, said attendees at the Computer Security Institute's annual conference here last week.
Contributing to the status quo is a troubling lack of communication between security organizations and business units as well as the challenges of dealing with an increasingly complex environment of threats to IT systems, security managers said.
"We're still fighting a lot of yesterday's battles," said Fred Trickey, information security administrator at Yeshiva University in New York.
Reacting to Threats
Instead of focusing on ways to make IT security an enabler of business initiatives, security managers are spending far too much time dealing with unreliable code and chasing the latest viruses, worms and spyware, Trickey lamented.
"We've no choice," he said, adding that many IT security staffs don't have the resources or management support they need in order to become more proactive.
Tony Spinelli, vice president of information security at First Data Corp.'s merchant services group in Hagerstown, Md., agreed that security initiatives have to be about more than just mitigating threats.
But Spinelli said he thinks that a lack of understanding of business needs on the part of security managers is a big source of the problem.
"What's really needed is more of a strategic planning process that involves business executives and technologists," Spinelli said. Instead, security managers all too often offer "nothing by way of a long-term strategy" for IT security, he added.
Security practitioners need to learn to speak the language of business users and try to understand the kinds of problems they're facing, according to Roger Fradenburgh, a consultant at Greenwich Technology Partners Inc. in Boston.
For example, working with the business side to classify data and prioritize it according to the level of protection it needs is a good way for security staffs to demonstrate their value and deliver a tangible return on investment, Fradenburgh said.
But he added that the continuing failure of many security managers to communicate in such a fashion has created a perception among end users that IT security is an impediment to business. "In a lot of situations, business people look at the security people as purveyors of fear who are always saying that the sky is falling," Fradenburgh said.
Increasing Complexity
Changing business requirements and the growing complexity of threats can keep security managers tied to operational and tactical tasks even if they would prefer to focus on broader challenges, said Terri Curran, director of information security at Bose Corp. in Framingham, Mass.
Curran and other conferenceattendees noted that their focus is limited because they're being pinned down by mounting regulatory requirements and because they're facing an increase in the number of opportunities for attacks fostered by the adoption of technologies such as wireless LANs and Web services applications.
"The complexity of the day-to-day world is increasing by leaps and bounds," said Joseph Popinski, director of network security at Information Engineering Inc., a security consulting firm in Huntsville, Ala. "You can get very bogged down in the operational stuff."
For instance, issues such as network access control, intrusion detection, network operations and help desk functions can take up much of a security staff's working hours, said Popinski.

Read more about Security in Computerworld's Security Topic Center.

Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!