[ISN] Taking the Security Message to the Suits

From: InfoSec News (isn@private)
Date: Sun Oct 19 2003 - 22:24:14 PDT

Next message: InfoSec News: "[ISN] Rudy Giuliani, the anti-hacker"

Previous message: InfoSec News: "Re: [ISN] Microsoft Toughens Up Outlook"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.eweek.com/article2/0,4149,1356353,00.asp

By Dennis Fisher 
October 15, 2003   

CHICAGO - Where does the security buck stop? All of the certifications
and training in the world won't make any difference to the security of
corporate networks if senior managers and top executives don't
understand the problems and requirements faced by security
professionals, a consultant and former CIO said in a Wednesday keynote
speech here at the Security Decisions 2003 conference.

"We don't have to make the CISSPs [certified information systems
security professionals] smarter, we need to make the suits less dumb,"  
said Thornton May, a member of the executive education faculty at the
University of California at Los Angeles and a futurist who spends much
of his time speaking with CIOs at large corporations. "Right now, they
just don't understand what the problems are. They're coming out of
business school not knowing that information security is important. We
have to change that."

In order to do that, May said colleges and universities need to do a
better job of instilling in students the importance of security. He
suggested that business school students be required to pass an exam of
their knowledge of safe computing practices.

"We can't continue to barf out uneducated graduates into the world,"  
May said. "We need to make grads pass a safe computing test.  
Otherwise, we're in trouble."

But May didn't let the assembled security professionals in the
audience off the hook, either. May said they need to include
management and executives in discussions about why certain security
technologies are necessary and what benefits they will provide to the
organization. Simply creating a wish list of products and handing it
over to the decision-makers is counterproductive, May argued.

"Nobody likes an expert. You have to give [executives] something to
do," he said.

Michael Rasmussen, an analyst with Forrester Research who spoke after
May, agreed that security professionals need to make it easier for
executives to understand the complexity and challenges of their jobs.

"If you go in there talking about polymorphic buffer overflows and IDS
evasion, you're going to lose them," said Rasmussen, director of
research for information security at Forrester.
 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo@private with 'unsubscribe isn'
in the BODY of the mail.

Next message: InfoSec News: "[ISN] Rudy Giuliani, the anti-hacker"
Previous message: InfoSec News: "Re: [ISN] Microsoft Toughens Up Outlook"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 20 2003 - 01:08:13 PDT