Comments on: Ten Ascendant Trends for the Next Chapter of Information Security http://www.riskbloggers.com/jimreavis/2007/05/ten-ascendant-trends-for-the-next-chapter-of-information-security/ Security Wisdom Ahead of the Curve Mon, 12 May 2008 10:28:43 +0000 http://wordpress.org/?v=2.5.1 By: Frank K http://www.riskbloggers.com/jimreavis/2007/05/ten-ascendant-trends-for-the-next-chapter-of-information-security/#comment-3551 Frank K Mon, 25 Jun 2007 18:12:57 +0000 http://www.riskbloggers.com/jimreavis/2007/05/ten-ascendant-trends-for-the-next-chapter-of-information-security/#comment-3551 On Kip's questions, #2 I think he means do it yourself, not make the data classify itself. Classify the data yourself as it is introduced to your enterprise. Don't wait until it piles up and then hire a consultant to come in and do it for you when you have a mess. Take a shot and categorizing them within the policies and standards you've built. You won't end up with such a huge mess in the end. #3 Companies are begging for outsourced security. They are tired of all the auditors running around with new projects for SOX, PCI, HIPAA, ITAR, FISMA, etc... They want to utilized best practices based on commonsense and commonsense usually rears its head when there are hard dollars attached to it. In large IT Outsourcing deals, huge companies don't outsource the CIO function, but I bet most of them more closely resemble lawyers than heavy IT types. That's because they have to manage the contracts and SLA's and play interface with the business, not worry about whether the network or applications are up and coded correctly. In almost every Fortune 500 account I am touching these days, the whole discussion of Sec ITO is on the table and some of them are signing up...more to come. As Jim has stated time and time again, Security is not just for Security People any longer. It has grown too large and it's tentacles reach everywhere. Strong governance and delegation with accountability is what is going to solve the business problems and build in security from the onset. On Kip’s questions, #2 I think he means do it yourself, not make the data classify itself. Classify the data yourself as it is introduced to your enterprise. Don’t wait until it piles up and then hire a consultant to come in and do it for you when you have a mess. Take a shot and categorizing them within the policies and standards you’ve built. You won’t end up with such a huge mess in the end.

#3 Companies are begging for outsourced security. They are tired of all the auditors running around with new projects for SOX, PCI, HIPAA, ITAR, FISMA, etc… They want to utilized best practices based on commonsense and commonsense usually rears its head when there are hard dollars attached to it. In large IT Outsourcing deals, huge companies don’t outsource the CIO function, but I bet most of them more closely resemble lawyers than heavy IT types. That’s because they have to manage the contracts and SLA’s and play interface with the business, not worry about whether the network or applications are up and coded correctly. In almost every Fortune 500 account I am touching these days, the whole discussion of Sec ITO is on the table and some of them are signing up…more to come.

As Jim has stated time and time again, Security is not just for Security People any longer. It has grown too large and it’s tentacles reach everywhere. Strong governance and delegation with accountability is what is going to solve the business problems and build in security from the onset.

]]> By: Kip Boyle http://www.riskbloggers.com/jimreavis/2007/05/ten-ascendant-trends-for-the-next-chapter-of-information-security/#comment-3522 Kip Boyle Wed, 30 May 2007 16:45:09 +0000 http://www.riskbloggers.com/jimreavis/2007/05/ten-ascendant-trends-for-the-next-chapter-of-information-security/#comment-3522 Some questions/comments: 1. How do you know that "corporations today have reached that breaking point where they are beginning to put significant time into whitelisting"? How pervasive is this practice? Which services (e.g., email, http) are leading this trend? 2. How can data be self classifying? It's a neat idea, but I don't see how to do it. 3. Outsourcing the CISO is an interesting idea. However, the more information intensive your organization's core competencies the less appealing this idea seems to me. Would you ever outsource the CIO if your business was very information driven? 4. "The web front end application" reminds me of the hole on the side of a jelly doughnut: There's nothing stopping an attacker from either stealing or poisoning the inside. 5. What is a CRO? What risks are too far afield for the CRO to take on? Credit risk? Vendor/supplier risks? Investment risk? Operational risk? Will a CRO be in defensive mode all the time, or is there a way to perform enabling services for the enterprise? -Kip Some questions/comments:

1. How do you know that “corporations today have reached that breaking point where they are beginning to put significant time into whitelisting”? How pervasive is this practice? Which services (e.g., email, http) are leading this trend?

2. How can data be self classifying? It’s a neat idea, but I don’t see how to do it.

3. Outsourcing the CISO is an interesting idea. However, the more information intensive your organization’s core competencies the less appealing this idea seems to me. Would you ever outsource the CIO if your business was very information driven?

4. “The web front end application” reminds me of the hole on the side of a jelly doughnut: There’s nothing stopping an attacker from either stealing or poisoning the inside.

5. What is a CRO? What risks are too far afield for the CRO to take on? Credit risk? Vendor/supplier risks? Investment risk? Operational risk? Will a CRO be in defensive mode all the time, or is there a way to perform enabling services for the enterprise?

-Kip

]]>