Re: [ISN] Failing security threatens FTSE100 firms

From: InfoSec News (isnat_private)
Date: Sun Sep 07 2003 - 22:18:04 PDT

  • Next message: InfoSec News: "[ISN] Blood bank hack 'risk'"

    Forwarded from: Mark Bernard <mbernardat_private>
    Dear Associates,
    There are two sides to this story. For a long, long time It
    professionals never put much stock in a piece of paper called a
    certificate. However, in recent years a few of these certificate
    vendors have strategically positioned themselves with governments and
    alike. Justifiable or not an affiliation, (not a formal endorsement),
    to a known organization will help a company gain enough creditability
    to make millions of dollars without holding any accountability.
    The other side of the story is the need to assure senior management
    that your staff have a defined level of InfoSec competency. Since
    Universities are only beginning to jump on this it will take two or
    three years before the certificate landscape changes to degrees. Even
    now some certification organizations are hustling to have their
    certification accredited by a public body.
    The down side is that with all the focus being on certifications that
    the real and tangible goals are being pushed to the back of the
    InfoSec bus. Anyone with experience in IT Tech or IT Management can
    tell you that staff credibility is only one element of a complex
    solution in achieving asset security and being able to assure it.
    Speaking of creditability, currently there is no link between
    national, state and-or provincial InfoSec legislation and the people
    that perform the work. Unlike lawyers, doctors and even bus drivers
    there is no requirement for someone practising InfoSec to be licensed.
    However it wouldn't surprise me if that changes in two or three years.
    In closing; It would be interesting to see a survey conducted here in
    North America, that is Canada & the USA not just the USA, to see how
    many hospitals, banks, insurance companies have certified personal
    doing InfoSec work. My guess is less than 2%, because the mentality
    has always been to make do with what you have and that will never
    ----- Original Message ----- 
    From: "InfoSec News" <isnat_private>
    To: <isnat_private>
    Sent: Friday, September 05, 2003 4:06 AM
    Subject: [ISN] Failing security threatens FTSE100 firms
    > Will Sturgeon
    > 4 September 2003
    > Shareholders in some of the UK's most prestigious companies may be
    > horrified to hear that only 16 per cent of FTSE100 firms employ a
    > properly qualified, dedicated security specialist to safeguard their
    > systems from cyber attack.
    > These findings have caused one IT training organisation to hit out
    > at what it calls "boardroom apathy" regarding the issue of security,
    > with too many CEOs adopting an 'it couldn't happen to us' attitude.
    > Despite a recent spate of high-profile virus attacks, and the
    > constant threat posed by hackers, companies still appear to be
    > leaving a lot to chance - a stance which Robert Chapman, co-founder
    > of The Training Camp, who conducted the survey, says displays a
    > worrying level of "ignorance".
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Sep 08 2003 - 01:06:16 PDT