Download - Help Net Security

More documents

Recommendations

Info

Dr. Herbert Thompson, CISSP, serves as RSA Conference Program Committee Chairman and Advisory Board member. He is directly involved in the selection of session topics and speakers, and the architecture of Conference educational programming. Dr. Thompson is a world-renown application security expert, Adjunct Professor of Computer Science at Columbia University, Graduate Faculty member in Applied Mathematics at Florida Institute of Technology, Advisory Board member for the Anti-Malware Testing Standards Organization. Although ROI is a term the majority of IT security professionals don't like for a variety of reasons, they still have to make sure the management understands what they're doing and why. In these tough economic times, what advice would you give to security personnel pitching a budget to their superiors? Justifying the money spent on security improvement is a core challenge of IT security. If you can link an investment in security improvement to how that investment is going to help the company make or save money, or help reduce risk (avoid losing money), then that investment can compete on the battlefield of IT budget. There will always be activities that must be done to comply with a regulation or standard such as PCI DSS or Sarbanes Oxley. For these, security is more about compliance than risk reduction. Outside of compliance, the preventative nature of security can sometimes make it difficult to quantify and communicate its worth. One approach I've seen implemented successfully is the use of risk management frameworks to create benchmarks for applications, processes, etc. The data was then used to motivate individual business units to move in-line with the rest of the organization. When a group observes that they significantly fall below other areas of the organization from a security/risk perspective, it serves as strong motivation for risk-reduction practices and tools. Another thing to consider is that security can also serve as a differentiator. Business customers, and to some degree consumers, are starting to ask businesses hard questions about security. The answers that come back might make or break a sale. www.insecuremag.com 48
As expected, cybercrime is soaring worldwide and at the same time, the recession is shrinking IT security budgets in most industries. Do you see any strategies that can fill the void as the money runs out? What recommendations would you give to organizations? Now is one of the most critical times to not drop the ball on security. So much of security comes down to little decisions that employees make every day that inadvertently put a business or its customers at risk. <strong>Security</strong> tools, processes and technologies help to create a safety net for those mistakes, but when security budgets are cut, the net becomes tattered and leaky. The key is to create a culture of security and help make it infectious in an organization. Some companies have managed to evangelize security and bring awareness through brownbag lunches, security awareness events and sending "influencers" in the company to industry events like RSA Conference. Building awareness has the two-fold effect of helping employees make good securityconscious choices day-to-day and also keeping security in clear view of executives that need to make budgeting decisions. Building awareness has the two-fold effect of helping employees make good security-conscious choices day-to-day and also keeping security in clear view of executives that need to make budgeting decisions. Legitimate businesses are not the only ones impacted by an unstable financial system. What kind of ramifications is the economic downturn having on the underground economy? What type of remodeling can we expect to see in the near future? Most indications are that the underground economy is thriving and growing rapidly. In some ways it's also becoming more efficient - meaning that the prices for certain types of stolen data have stabilized - making this type of data more of a commodity. This is a scary situation for businesses because it means that it's getting easier to turn customer data into cash, which means the motivation to steal data is strong. There has also been a maturing in the underground services market, too. This means that someone that has malicious intent - who wants to launch a Distributed Denial of Service (DDoS) attack for example - but not the technical skills or resources to execute the attack can now outsource. The result is a broadened range of digital adversaries. All of this means that we're likely to enter a period of significant attacker innovation, making it more important to carefully monitor threats and keep up with the latest attack trends. Achieving more on a smaller budget and keeping an organization protected at the same time is on the table of many security professionals. Can we expect talks related to budgeting security at RSAC 2010? While we're still developing the content for RSA Conference 2010, budgeting for security is obviously top of mind for security practitioners. Some organizations, pushed by today's challenges, have been forced to innovate in the areas of security metrics and risk management to better use their budgets and minimize risk. I'm looking forward to seeing the results of that innovation at RSA Conference 2010. www.insecuremag.com 49
Page 5 and 6: VPN management for Linux networks N
Page 7 and 8: Splunk 4 supercharges IT search Spl
Page 9 and 10: Mobile Guardian Enterprise Edition
Page 12 and 13: Integrating the results from a vuln
Page 14 and 15: continuous scans are expensive, the
Page 16 and 17: The fine folks at Origin Storage sh
Page 18 and 19: Further customization There is an a
Page 21 and 22: When you think about celebrities, y
Page 23 and 24: The ultimate guide to Nmap Besides
Page 25 and 26: information wherever it is or where
Page 27 and 28: to externally hosted services that
Page 29 and 30: Practical Intrusion Analysis By Rya
Page 31 and 32: Information Security Management Met
Page 34 and 35: On a daily basis, online spammers a
Page 36 and 37: arranged in the same manner that ot
Page 38 and 39: Have you ever left the light, radio
Page 40: With some imagination, they create
Page 43 and 44: The work “Above the Clouds,” pu
Page 45 and 46: Second, using cloud services betwee
Page 47: "My IT department came to me with a
Page 52 and 53: Authors: Felicia Donovan, Kristyn B
Page 55 and 56: In light of recent wireless breache
Page 57 and 58: Myth #4 - We have upgraded all of o
Page 59 and 60: Recent studies show that securing t
Page 61: Another best practice to protect an
Page 64 and 65: malicious users. Other attacks exis
Page 66 and 67: Web Application Frameworks An ideal
Page 68: IT Showcase Asia 2009 6 October-7 O
Page 71 and 72: model (80 percent) for the creation
Page 73 and 74: The case for authentication The rea
Page 75 and 76: In a least privilege computing envi
Page 77 and 78: seriousness of the security threat
Page 80 and 81: Today!s IT security professionals e
Page 82 and 83: sensitive customer data, such as e-
Page 84 and 85: Whether driven by data security man
Page 86 and 87: Intelligent routing also includes a
Page 89 and 90: PE Explorer (www.net-security.org/s
Page 91 and 92: Policy Policy is an overused word,
Page 93 and 94: with insiders. With malware, at lea
Page 96 and 97: This article discusses the impact o
Page 98 and 99:
According to the Californian law, p
Page 100 and 101:
lost or stolen, but also for import
Page 103 and 104:
It!s a common scenario right now, p
Page 105:
3. How quickly can you and your IT
Page 108 and 109:
Manage network security Attacks on
Page 110 and 111:
Endpoint or host security is critic
show all

Download - Help Net Security

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?