Security Profession blog
Comment and discussion about the security industry of interest to the security professional. Blogs will be submitted by (ISC)2's management team and Advisory Board members.
Tuesday 29 July 2008, 12:01 PM
Insider security threat not exaggerated
I was reading recently some research claiming that the insider security threat had been exaggerated: (http://www.verizonbusiness.com/resources/security/databreachreport.pdf). The report said that the majority of security threats are external and concluded that the insider threat is not the issue we have all long believed.
I think this is somewhat misrepresentation of the real truth. Security professionals have long claimed that the internal threat is the biggest security risk to company information, eclipsing even external breaches such as data leakage and malware. Contrary to this analysis, rather than exaggerated, I think it’s just been misrepresented. The threat of ‘insider’ security breaches is still very real. But rather than being malicious breaches of intention, it is more likely that most insider security breaches are accidental; a result of companies failing to adequately implement policies and validation controls or to educate staff about security policy.
Information security professionals need to assess what the risks are and where they may come from. Underestimating that real threat of internal security breaches is unwise. There are still lots of controls that security professionals should implement to stop the sorts of mistakes that really can, and do, impact security in order that they can, as a colleague of mine once said, stop clever people from doing dumb things.
John Colley, CISSP
Managing Director EMEA, (ISC)2
I think this is somewhat misrepresentation of the real truth. Security professionals have long claimed that the internal threat is the biggest security risk to company information, eclipsing even external breaches such as data leakage and malware. Contrary to this analysis, rather than exaggerated, I think it’s just been misrepresented. The threat of ‘insider’ security breaches is still very real. But rather than being malicious breaches of intention, it is more likely that most insider security breaches are accidental; a result of companies failing to adequately implement policies and validation controls or to educate staff about security policy.
Information security professionals need to assess what the risks are and where they may come from. Underestimating that real threat of internal security breaches is unwise. There are still lots of controls that security professionals should implement to stop the sorts of mistakes that really can, and do, impact security in order that they can, as a colleague of mine once said, stop clever people from doing dumb things.
John Colley, CISSP
Managing Director EMEA, (ISC)2
Monday 28 July 2008, 3:03 PM
Will a recession impact security spending?
We are, or so the press keep telling us, gearing up for an economic slowdown, if not full blown recession. In this climate, many information security teams will be assessing the impact of a cut in the security budgets, particularly with pressure to ensure responsible, secure business practice coming from consumers, B2B customers, partners and regulation to contend with. There is no doubt that high profile breaches have made issues such as data loss, and identity theft a mainstream concern.
Talking to my colleagues and looking at the results of our own research into the concerns of the industry makes me believe that companies will continue to take action, rather than cutting back on their investments in securing their organisations’ information.
I don’t believe any company would, in this climate, risk their corporate reputation with lapse security controls. Security is perhaps, one of the safest of operational budgets from the knife. Though it’s worth noting, the security budget will not likely ever be immune from having to be justified. And as good business managers, we should always be looking for areas where we can help tighten the corporate belt. There are likely to be areas in any budget, including ours, where projects can be deferred or possibly dropped. Learning the skill of getting more for less will go a long way in this climate. After all, budget alone is not the answer to a company’s security woes.
John Colley
Managing Director EMEA, (ISC)2
Talking to my colleagues and looking at the results of our own research into the concerns of the industry makes me believe that companies will continue to take action, rather than cutting back on their investments in securing their organisations’ information.
I don’t believe any company would, in this climate, risk their corporate reputation with lapse security controls. Security is perhaps, one of the safest of operational budgets from the knife. Though it’s worth noting, the security budget will not likely ever be immune from having to be justified. And as good business managers, we should always be looking for areas where we can help tighten the corporate belt. There are likely to be areas in any budget, including ours, where projects can be deferred or possibly dropped. Learning the skill of getting more for less will go a long way in this climate. After all, budget alone is not the answer to a company’s security woes.
John Colley
Managing Director EMEA, (ISC)2
