This is Rob Whiteley's Typepad Profile.
Join Typepad and start following Rob Whiteley's activity
Join Now!
Already a member? Sign In
Rob Whiteley
Recent Activity
Also, @rybolov on Twitter pointed me to SCAP: http://scap.nist.gov/. Not sure if anyone has any opinions on the traction and value of the protocol relative to our discussion.
To Brad: Great comment regarding culture. We did a pretty deep dive on how information security and risk programs differ (for example: do they tend to differ by industry, size, geography, organizational reporting structure, etc). We found that company culture – especially towards security and risk – was the second most important factor, right behind how heavily regulated the company is. It far eclipsed size and even geography in terms of importance. Perhaps therein is the key to automating. Figure out how much the individual users are willing to take on and automate by offloading to responsibility to them! This coincides with the fact that user awareness and training is still one of the top perennial CISO concerns.
To Jeremy: We do see CISOs shedding some operational responsibility, but certainly not all. I think the key is, as you allude, where in particular do they still own the operations. It's not necessarily complex areas, but rather those that are less mature (which is correlated with complexity) and peer IT functions are not comfortable assuming the responsibility. For example, we find many CISOs still have operational responsibility for identity and access management (although that's a fascinating topic unto itself), application security, and are ramping up on operational responsibility for data security trends. It's the infrastructure (network, server, desktop, etc) where there is the highest portion of offload. In fact, in our Q3 survey of more ~700 security execs we found that at least 23% or more were “fully responsible” for all security operations. But in areas like technical infrastructure security, 43% are fully responsible for the operations – but this is trending downward year over year. So with that said, I do agree with the conundrum that things that can be easily offloaded are those most suitable for automation. However, I still maintain that CISOs need to focus on efficiency and determine what can be further automated. For example, we see a big resurgence in IAM deployments with automation as the driver, even though security groups own it. Why are others provisioning and policy enforcement areas not seeing equal traction in automation? What is IT risk management (clearly still a CISO topic) still a highly manual art?
Great comments. I completely agree that automating is not about giving up control, but just streamlining waste. To your car analogy, think how painful it would be if computing fuel injection, monitoring all of your fluids, and applying breaks where all tasks you had to do manually! I think the key is understanding what in information security has evolved from art to science and then automating as much of the science as possible.
Thanks for the good comments. I certainly agree with different controls, like DLP and awareness. We also have a lot of clients interested in updating acceptable and Internet usage policies. In general I've seen the shift from "let's prevent bad things from happening" to "let's monitor more and limit the risks as best we can." I think the days of security playing the veto card are gone. The business is moving ahead regardless. It's just a matter of whether security is an enabler or roadblock. And I love the idea of social security schizophrenia. I'll have to borrow that, if you don't mind!
Rob Whiteley is now following Ryan Star
Aug 26, 2009