Back to basics on it security - Ben Rothke


Published on

Back to Basics On IT Security. As information security stresses increase, remember the
fundamentals. And make sure your CISO is really smart.

Author: Ben Rothke
Issue: February 2011
Magazine: Bank Technology News

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Back to basics on it security - Ben Rothke

  1. 1. Perspective are needed to deal with the new Open source is your friend. If security technologies that will find you asked someone 10 years ago if widespread adaptation in 2011. Be you could have “no zero” for secu- it social media, cloud computing, rity software with a strong secu- videoconferencing and more—these rity program, you would have beenB ack to B asics technologies must have security standards upon which they can be built. Lack of standards means that security will eventually have to be laughed at. Today, no one is laugh- ing at open source security software and tools. The essential benefit of open source is not necessarily thatO n I Securty T i retrofitted. The significant prob- lem there is that any sort of retrofit is always a much more expensive endeavor than had it been done cor- rectly in the first place. it is free; rather, that organizations that use open source generally un- derstand their problems better. They take a more tactical approach to se- curity fixes by using open source.As information security stresses increase, remember the Demonstrate the value of securi- When combined with a highlyfundamentals. And make sure your CISO is really smart. ty with technical and financial met- technical staff, my experience is that rics. Your CEO, COO, CFO, and banks that have embraced an openBY BEN ROTHKE executive board don’t care if you source security program generally use Check Point or Juniper. What have a much better understandingONE OF THE MEMORABLE QUOTES FROM rity? If not, you don’t have informa- they want to know is how effectively of their core security issues, as op-the movie Bull Durham was: “This tion security. If there is no security the bank is protected. Communi- posed to blindly throwing tools atis a very simple game. You throw oversight, kiss your data goodbye. cate that the bank’s risk exposure the problem.the ball, you catch the ball, you hit If your chief information secu- is in check. If you can demonstrate Not that open source is a pana-the ball.” Information security is like rity officer (CISO) is not at least as to the executives that the security cea. When open source tools are de-baseball—you encrypt the data, you smart as your CFO, then you will group uses mature risk frameworks ployed and configured incorrectly,decrypt the data, you use the data. have much less control over your to manage the bank’s risk posture, they can introduce more risks than As 2011 starts, the key to data se- data. Given that data is the life- you’ll have won them over. they stop. But banks that realize thatcurity is to focus on both the secu- blood of many organizations, the Scare them, but don’t FUD open source can be their friend andrity fundamentals and look to new lack of an effective CISO can be them. Once again, you can assume embrace it are generally those thattechnologies. Here are some of the truly “get” information security. “fundamentals: Know the hot security technolo- Governance and oversight. Whydo many enterprises place their G iven that data is the lifeblood of gies for 2011. Core security technol- ogies such as firewalls, encryptionlaser toner cartridges in a locked many organizations, the lack of an and intrusion detection will con-room? Everyone knows that evenwith all of a bank’s dedicated em- effective CISO can be information tinue to be needed in 2011. As well, some of the hot security technolo-ployees, a few bad apples can make suicide gies for this year include those thata lot of expensive office supplies dis- enable banks to secure corporateappear quickly. But are the terabytes data on iPads or iPhones; protectof a bank’s data adequately locked? information suicide. Only an indi- your board members are very in- against targeted attacks—the recentIf not, a ten dollar USB thumb vidual with strong business savvy telligent to have been appointed to Stuxnet malware attacks show thatdrive can download unimaginable and security knowledge can oversee such executive leadership positions. targeted attacks are growing, andamounts of corporate proprietary security planning, implement poli- So don’t use fear, uncertainty and banks need a way to avoid them.and sensitive confidential data. cies and select measures appropri- doubt, but instead, let them know Social media control: banks such as Where does the security buck ate to business requirements. That that it is no longer “their mother’s JPMorgan Chase, Citi, US Bank, andstop? The reason a bank has a CFO person is the CISO. Make sure your network.” others have created corporate pagesis to ensure the management of firm has one. The threats facing most networks to interact with their clients; otherfinancial risk, in addition to effec- Security standards. They say today are significant. The Yankee banks will look for security controlstive financial planning. Just as your about Chicago that if you really hate Doodle virus of the 1990s did noth- to ensure they can use social mediafinances need a smart person to be the weather, just wait an hour, and it ing but annoy you. But today’s at- without the security risks.on top of them, so too does your will probably have changed by then. tacks are targeted and stealthy. If Ben Rothke CISSP, CISA is a seniordata. Even if your data is locked, is Computer security is like Chicago you are a Fortune 500 organization security consultant with BT Professionalthere a person who’s charged with weather—it’s dynamic and there are and not discovering at least two at- Services and the author of Computeroverall governance and oversight always new threats on the horizon. tempted attacks per week, then you Security: 20 Things Every Employeearound all things information secu- Strong corporate security standards need a better monitoring program. Should Know (McGraw-Hill). FEBRUARY 2011 BANK TECHNOLOGY NEWS 31