Panel: Top-level support crucial for security

Well-informed, proactive oversight by senior management is crucial for organizations to effectively prevent cyberattacks, a panel of cybersecurity experts said yesterday.

“The best [vulnerability] management technique is top-level buy-in,” said Michael Wiser, vice president of product development at Citadel Security Software, speaking at a conference the company sponsored in Washington, D.C.

Executive support is especially important in larger organizations, Wiser said, which have more division and tension between senior management and information technology divisions.

Tracking all attacks and their costs can help IT personnel justify funding for more resources, Wiser said.

Top management must look at trend analysis and make their security efforts more proactive, direct and actionable, said Mitchell Rambler, vice president and general manager of military operations at BAE Systems IT.

Organizations must have systematic, automated vulnerability-management tools and ways to quickly quarantine attacks, Rambler said. More importantly, executives must write effective policies and empower people to enforce them, he said.

Corporate governance must ensure that an organization’s IT assets are protected and don’t just meet regulatory minimums, Wiser said.

A lot of attacks occur because of improperly configured devices, Wiser said. Patching covers only 25 percent of security regulations, and the number of cyberattacks is increasing, he said.

“This is a key factor in vulnerability management: The bad guys are getting better,” Wiser said.

Organizations have to integrate security and privacy into their risk-mitigation operations, said Robert Dix, Citadel’s vice president of government affairs and corporate development.

Requiring that devices comply with network security policies before they can access the network is a good first step, Dix said. Demonstrating that their systems are secure will be a significant business driver for all companies, he said.

Executives still don’t understand technology, Wiser said. They want a report stating that their staff have vanquished vulnerabilities -- or even better, that the organization was never vulnerable at all, Wiser said.

A lot of companies used to hide behind the “security through obscurity” mantra, said Lawrence Orans, research director of communications enterprise solutions at Gartner. Now people realize they can lose their jobs – and their lives – because of a breach, he said.

Government mandates and regulations are pushing more organizations to take cybersecurity seriously, but many companies still “have to be hit by a two-by-four before [they] react,” said Steven Solomon, Citadel’s chairman and chief executive officer.

Featured

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

  • Comment
    Blue Signage and logo of the U.S. Department of Veterans Affairs

    Doing digital differently at VA

    The Department of Veterans Affairs CIO explains why digital transformation is not optional.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.