Panel: Top-level support crucial for security
- By Michael Arnone
- Oct 11, 2005
Well-informed, proactive oversight by senior management is crucial for organizations to effectively prevent cyberattacks, a panel of cybersecurity experts said yesterday.
“The best [vulnerability] management technique is top-level buy-in,” said Michael Wiser, vice president of product development at Citadel Security Software, speaking at a conference the company sponsored in Washington, D.C.
Executive support is especially important in larger organizations, Wiser said, which have more division and tension between senior management and information technology divisions.
Tracking all attacks and their costs can help IT personnel justify funding for more resources, Wiser said.
Top management must look at trend analysis and make their security efforts more proactive, direct and actionable, said Mitchell Rambler, vice president and general manager of military operations at BAE Systems IT.
Organizations must have systematic, automated vulnerability-management tools and ways to quickly quarantine attacks, Rambler said. More importantly, executives must write effective policies and empower people to enforce them, he said.
Corporate governance must ensure that an organization’s IT assets are protected and don’t just meet regulatory minimums, Wiser said.
A lot of attacks occur because of improperly configured devices, Wiser said. Patching covers only 25 percent of security regulations, and the number of cyberattacks is increasing, he said.
“This is a key factor in vulnerability management: The bad guys are getting better,” Wiser said.
Organizations have to integrate security and privacy into their risk-mitigation operations, said Robert Dix, Citadel’s vice president of government affairs and corporate development.
Requiring that devices comply with network security policies before they can access the network is a good first step, Dix said. Demonstrating that their systems are secure will be a significant business driver for all companies, he said.
Executives still don’t understand technology, Wiser said. They want a report stating that their staff have vanquished vulnerabilities -- or even better, that the organization was never vulnerable at all, Wiser said.
A lot of companies used to hide behind the “security through obscurity” mantra, said Lawrence Orans, research director of communications enterprise solutions at Gartner. Now people realize they can lose their jobs – and their lives – because of a breach, he said.
Government mandates and regulations are pushing more organizations to take cybersecurity seriously, but many companies still “have to be hit by a two-by-four before [they] react,” said Steven Solomon, Citadel’s chairman and chief executive officer.