News Stay informed about the latest enterprise technology news and product updates.

Reporter's Notebook: Why failing an audit can lead to success

At Information Security Decisions, attendees discuss cash-strapped compliance efforts, the premature demise of IDS, job security courtesy of Microsoft and more.

NEW YORK -- One of the stranger topics of conversation being floated informally at this week's Information Security Decisions conference is how to foil those pesky compliance auditors. Whether joking or for real, some security managers are hoping they flunk.

A number of security programs have been so successful at maintaining data integrity that their budgets are being cut under the assumption more resources aren't needed to meet or continue meeting state and federal regulations. Delegates though privately admitted they're hoping auditors find fault -- though nothing major -- so they have a stronger case to either add new software or hardware to their networks or increase staffing.

That sentiment was underscored during a panel Wednesday featuring Information Security magazine's Security 7 award winners -- all considered thought leaders at major corporations, agencies or universities. One winner, AT&T CISO Edward Amoroso, told the audience some good can come from failing to meet the grade at some companies.

"After an audit, money flows," he said. Then he cautioned: "But be careful or the money will flow out the door."

The others honorees included: Charles McGann, manager of secure infrastructure for the U.S. Postal Service; Christofer Hoff, CISO and director of enterprise security for Western Corporate Federal Credit Uniton )WesCorp); Hans-Ottmar Beckmann, CISO and corporate executive director for Volkswagen; Dave Dittrich, senior security engineer and researcher for the University of Washington's Center for Information Assurance and Cybersecurity; Richard Jackson, chief information protection officer at Chevron Corp.; and Patrick Heim, vice president of enterprise security for McKesson Corp.

IDS alive (maybe even well) in NYC
During one of several instant audience response polls, 84% of respondents begged to differ with a prediction from Stamford, Conn.-based research firm Gartner that intrusion detection systems would by dead by the end of this year. Only 10% said it would happen; the other 6% weren't sure.

San Diego-based author W. Curtis Preston, vice president of data protection for GlassHouse Technologies Inc., asked how many in the audience of 500 security managers had documented security procedures in place for their storage infrastructure. Forty-two percent did; 58% didn't. What surprised Preston, one of Wednesday's keynote speakers, was the near-even split between the 47% who believed offline media (tapes) posed the most serious threat to data and 53% who thought online information (disks) were a bigger issue. Preston's company recently conducted a 3,000-person survey in the storage space and found the results matched closely.

A full 85% admitted in another poll they don't currently encrypt backup data. During his presentation, Preston said the biggest risk to backup encryption is rendering tapes or disks unreadable. Challenges include finding the proper balance between usability and security.

Microsoft = job security
Almost everyone admits Microsoft has made progress recently in better protecting its software and the billions of systems running it on their networks.

But the software giant remains the butt of jokes in security circles. And maybe that's not so bad, either, if you help secure your enterprise's networks and data stores. The top answer when asked about the impact of Microsoft's new client protection suite, and by a wide margin over other options: "Proof we'll all have job security for a long, long time."

Security office? What security office?
While Microsoft may keep security practitioners solvent for the immediate future, the long-term future of the security office may not be as rock-solid.

 You've got 2.1 billion cell phones in the world today, and soon they'll all have an IP address... That means the Internet will triple in size within three years.
Bill Hancock
CSO, Savvis Inc.

Remember when most organizations in the '90s had a quality officer? Eventually that notion went the way of the dinosaur. Subsequently, quality became embedded in all business functions and an unstated goal of everyone in a company.

AT&T's Amoroso thinks the security office could soon be an archaic notion.

"Security is not an add-on thing, and should not be an organization on the side, but rather an attribute, a feature, a requirement," Amoroso said. "My goal is that you'd find more and more firms using security as a market differentiator, as a requirement in everything they do."

Keeping moving targets safe
See that smarmy teenager sitting in the back seat of your SUV text messaging his best friend -- who happens to be sitting right next to him? Well that's your next generation of enterprise user. And those mobile gadgets and feature sets he's using today are going to be demands on the job tomorrow.

Your job, meanwhile, is going to be keeping all of those smart handsets safe and sound.

Bill Hancock, CSO of Savvis Inc., one of the world's largest Internet carriers, didn't go too far out on a limb Wednesday when he said mobility is going to be the biggest challenge for a security manager in the not-too-distant future.

"You've got 2.1 billion cell phones in the world today, and soon they'll all have an IP address. I don't even want to think about that. That means the Internet will triple in size within three years," Hancock said.

As disparate devices associate and become mission critical, he said current security models just won't suffice.

"Infrastructure security has to come first; if you can't move packets, it doesn't matter how secure you are," Hancock said. "Push for active defenses in your companies. Firewalls are reactionary devices. They only stop what you tell it to stop. Everything else? Come on in!"

Information Security Decisions is produced by TechTarget, publisher of

Dig Deeper on Auditing, testing and assessment for financial services compliance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.