1
21 More and more of what used to be thought of, or indeed is still thought of, as security, is being op- erationalized. And so, security teams in big companies, especially, need to become more strategic and change their focus to intellectual property control or getting a better handle on the insider threat problem, and so on. Are you seeing this among your associates and customers as a trend? Analysts in firms like Gartner often say this kind of thing. I’m seeing evidence of a problem that goes against what they’re say- ing. I’m seeing a lack of technical expertise as still being one of the biggest problems that we have in network security today. This lack of technical expertise is the bane of the majority of our issues. If IDC and Gartner et al. got their way, we would have MBAs running the network security department, not security experts! But, security is a business issue, right? It’s a people and process issue as much as it is about technology? It’s a people and technology issue. The problem here is that you can train 10,000 employees not to click on an e-mail attachment. Out of 10,000 people however, if only one person does it, they’ve detonated your entire network. You have to have sensible safe- guards. I agree that people are your first line of defence, but you absolutely have to have technical safeguards. With respect to the requirements to watch intellectual property, to keep a better guard on personal data.I fully agree. Especially today in the United States where we have been totally inundated with the loss of personal information and disclosure of personal information on the internet. Things need to be improved. But your essential point would be not to forget that infosec is a tech- nical discipline? Exactly, yes. To me, training the em- ployee not to send out intellectual property in an email is a wonderful thing. But you will have employ- ees who are going to do it anyway. Therefore, you need the technical safeguards in place that will scan the e-mail attachments for water- marks or keywords that would be associated with personal or intellec- tual property. For example, a sales company’s in- tellectual property is their customer list — you’ve got an employee who is about to leave the company, so he e-mails the customer list to his pro- spective employer. No amount of training will prevent him from do- ing that. You need something that is able to recognize the names on that customer list and is able to stop it going out. So much of what is said around security is that it’s very much a busi- ness thing now, that security profes- sionals within big companies need to get out of the technical detail and see the bigger picture, align security with the needs of the busi- ness and risk management policies, and so on. Business must support security, and security has to meet the business case, or management is never going to buy in, But, if I go down this path where security is regarded as a busi- ness process, we’re going to have weak security. Security will become policies and procedures without technical safeguards. I just find the fashion for saying MBAs should be in charge of infosec appalling. It’s mainly coming from Gartner. It’s commercial motivation for Gartner to say this. Look at what they did around intrusion detection. IDS was dead, they said: long live IPS. The IDS marketplace was primarily an open source marketplace and Gartner had no customers there. When you look at technically savvy CIOs they are more likely to question the recommendations from a Gartner, who don’t really get down and test network security products. It would benefit Gartner most to have a switch from a techni- cal CIO to a less technical CIO who had an MBA. It opens up a new mar- ket for Gartner. Shifting from a tech- nologist to an MBA will not benefit the security community. Paul Henry, vice president of strategic accounts at Secure Computing, is one of the world’s foremost information security experts, with more than 20 years experience managing security initiatives for Global 2000 enterprises and government organizations. Here he speaks to Brian McKenna, for Infosecurity Today, about a current trend to downplay the technical side of infosec. Brian McKenna [email protected] q & a Infosecurity Today November/December 2006 MBAs don't cut infosec mustard Paul Henry: infosec is a technical discipline

MBAs don't cut infosec mustard

Embed Size (px)

Citation preview

Page 1: MBAs don't cut infosec mustard

21

More and more of what used to be thought of, or indeed is still thought of, as security, is being op-erationalized. And so, security teams in big companies, especially, need to become more strategic and change their focus to intellectual property control or getting a better handle on the insider threat problem, and so on. Are you seeing this among your associates and customers as a trend? Analysts in firms like Gartner often say this kind of thing.I’m seeing evidence of a problem that goes against what they’re say-ing. I’m seeing a lack of technical expertise as still being one of the biggest problems that we have in network security today. This lack of technical expertise is the bane of the majority of our issues.

If IDC and Gartner et al. got their way, we would have MBAs running the network security department, not security experts!

But, security is a business issue, right? It’s a people and process issue as much as it is about technology?It’s a people and technology issue. The problem here is that you can train 10,000 employees not to click on an e-mail attachment. Out of 10,000 people however, if only one person does it, they’ve detonated your entire network.

You have to have sensible safe-guards. I agree that people are your first line of defence, but you absolutely have to have technical safeguards.

With respect to the requirements to watch intellectual property, to keep a better guard on personal data.I fully agree. Especially today in the United States where we have been totally inundated with the loss of personal information and disclosure of personal information on the internet. Things need to be improved.

But your essential point would be not to forget that infosec is a tech-nical discipline?Exactly, yes. To me, training the em-ployee not to send out intellectual property in an email is a wonderful thing. But you will have employ-ees who are going to do it anyway. Therefore, you need the technical safeguards in place that will scan the e-mail attachments for water-marks or keywords that would be associated with personal or intellec-tual property.

For example, a sales company’s in-tellectual property is their customer list — you’ve got an employee who is about to leave the company, so he e-mails the customer list to his pro-spective employer. No amount of

training will prevent him from do-ing that. You need something that is able to recognize the names on that customer list and is able to stop it going out.

So much of what is said around security is that it’s very much a busi-ness thing now, that security profes-sionals within big companies need to get out of the technical detail and see the bigger picture, align security with the needs of the busi-ness and risk management policies, and so on.Business must support security, and security has to meet the business case, or management is never going to buy in, But, if I go down this path where security is regarded as a busi-ness process, we’re going to have weak security. Security will become policies and procedures without technical safeguards.

I just find the fashion for saying MBAs should be in charge of infosec appalling. It’s mainly coming from Gartner. It’s commercial motivation for Gartner to say this. Look at what they did around intrusion detection. IDS was dead, they said: long live IPS. The IDS marketplace was primarily an open source marketplace and Gartner had no customers there.

When you look at technically savvy CIOs they are more likely to question the recommendations from a Gartner, who don’t really get down and test network security products. It would benefit Gartner most to have a switch from a techni-cal CIO to a less technical CIO who had an MBA. It opens up a new mar-ket for Gartner. Shifting from a tech-nologist to an MBA will not benefit the security community. •

Paul Henry, vice president of strategic accounts at Secure Computing, is one of the world’s foremost information security experts, with more than 20 years experience managing security initiatives for Global 2000 enterprises and government organizations. Here he speaks to Brian McKenna, for Infosecurity Today, about a current trend to downplay the technical side of infosec.

Brian [email protected]

q&

a

Info

security To

day

Novem

ber/Decem

ber 2006

MBAs don't cut infosec mustard

Paul Henry: infosec is a technical discipline

mailto:[email protected]

The InfoSec Avengers

The InfoSec Avengers

Technology
SW Engineering Primer for MBAs

SW Engineering Primer for MBAs

Business
Beazley InfoSec

Beazley InfoSec

Documents
Infosec Awareness Latest

Infosec Awareness Latest

Documents
Libro "MBAs, ¿ángeles o demonios?"

Libro "MBAs, ¿ángeles o demonios?"

Business
London Infosec MVS

London Infosec MVS

Documents
careers for MBAs

careers for MBAs

Documents
FELICIES-INFOSEC 4011

FELICIES-INFOSEC 4011

Documents
Business Environment for MBAs

Business Environment for MBAs

Documents
New Generation of MBAs

New Generation of MBAs

Education
The Toxicity of Mustard and Mustard Lewisite to ... · The Toxicity of Mustard and Mustard Lewisite to Terrestrial Organisms ... Mustard and Mustard-Lewisite to Terrestrial ... health

The Toxicity of Mustard and Mustard Lewisite to ... · The Toxicity of Mustard and Mustard Lewisite to Terrestrial Organisms ... Mustard and Mustard-Lewisite to Terrestrial ... health

Documents
COBIT5 and InfoSec

COBIT5 and InfoSec

Documents
Glossary InfoSec

Glossary InfoSec

Documents
Social Psychology & INFOSEC

Social Psychology & INFOSEC

Documents
2014 guestlecture-infosec

2014 guestlecture-infosec

Education
InfoSec 2012 Program

InfoSec 2012 Program

Documents
Life Stories Recent MBAs

Life Stories Recent MBAs

Documents
15 Diagrams MBAs Should Know

15 Diagrams MBAs Should Know

Design
The Infosec Revival

The Infosec Revival

Technology
Risk Assessment. InfoSec and Legal Aspects Risk assessment Laws governing InfoSec Privacy

Risk Assessment. InfoSec and Legal Aspects Risk assessment Laws governing InfoSec Privacy

Documents
Cisco InfoSec Brochure

Cisco InfoSec Brochure

Documents
Infosec Gateway

Infosec Gateway

Documents
A Letter to MBAs LinkedIn

A Letter to MBAs LinkedIn

Documents
October 29, 2015 The University Information Security Policy & InfoSec one year on… Tom Anstey Weatherall Institute of Molecular Medicine & InfoSec infosec@it.ox.ac.uk

October 29, 2015 The University Information Security Policy & InfoSec one year on… Tom Anstey Weatherall Institute of Molecular Medicine & InfoSec [email protected]

Documents
Getting Into InfoSec · Daniel Bohannon @danielhbohannon Getting Into InfoSec via pen Source

Getting Into InfoSec · Daniel Bohannon @danielhbohannon Getting Into InfoSec via pen Source

Documents
National INFOSEC Organisations and INFOSEC Management in Hungary

National INFOSEC Organisations and INFOSEC Management in Hungary

Documents
InfoSec Policy ISO17799

InfoSec Policy ISO17799

Documents
InfoSec Syllabus V7.3

InfoSec Syllabus V7.3

Documents
Hacked Vehicles - InfoSec

Hacked Vehicles - InfoSec

Technology
NBA * for MBAs **

NBA * for MBAs **

Documents