SAN JOSE, Ca. – Though he admits it will be a matter of years before businesses fully transform their people, processes, and technology to regard security risk in the same light as business risk, the challenge remains to be conquered nonetheless.
So says Brian Kenyon, director, enterprise technical enablement for McAfee Inc., and a leading security expert on vulnerability management best practices.
As chief architect of McAfee Foundstone Security Operations Center, which monitors vulnerabilities at client sites, Kenyon has played an integral role in designing and developing Foundstone’s hardware solutions.
Discussing what he called the “inconvenient truths about security,” he said there’s no silver bullet lining to security. Thinking of people, processes, and technology, the security industry has focused far too much on technology in its’ parlance to businesses of all walks. Thus vendors such as McAfee ought to be focused on educating the user to a more efficient and effective means of handling their security practice, he remarked.
Kenyon’s comments echoed those of his colleague Dr. Martin Carmichael, McAfee’s chief security officer. While on a recent trip to Toronto, Carmichael said one of the challenges facing the (security) industry is how businesses and governments view security. He also said the balance between regulatory compliance and business is no different than the balance between business and risk management itself.
“I believe fundamentally the idea of compliance is very difficult to achieve. If you look at most organizations and ask them if they’re compliant and they said ‘yes’, you would have to step back and say ‘let me introduce you to a new auditor,'” Carmichael said. “Compliance constraints tend to be much more subjective these days.”
Kenyon — on his own tour of Canadian cities discussing basic security points — said his objective is to get businesses to look at the security question from a different point of view.
“As an industry, we have done a poor job of communicating security at the business level,” he said. “Risk management is a financial-driven role with actuary tables but security is a stepchild off to the side . . . businesses need to come to terms with the realization their organization will be hit with a security breach.”
Risks include in-house web application development treating security as an afterthought; or employees being careless, mindless, or devious with portable computing devices containing sensitive corporate data. Perhaps the biggest pain point is the amount of time select employees must dedicate to the company’s compliance and auditing policies and/or a firm’s inability to consider outsourcing more mundane security functions to a third party — like McAfee.
“Companies need to identify sustainable processes and then use technology to support those processes,” he said. “And as a security vendor, we need to focus on educating the user as to what is the most efficient way to handle security.”
This column was written by Liam Lahey of ConnectIT
a>>
