5. Compliance threatens security. Compliance in and of itself is not a bad thing. But, compliance in and of itself does not equal security. At the very least it's a resource and budget conflict, and it splits our focus. Compliance is supposed to raise the minimum standard of security, but it just gets us to do what we are required to do and nothing else.
What's more, that which is easy to measure is not necessarily that which is most valuable. So if there were 15 software vulnerabilities last month, we can measure that 12 of them have been patched. It is much harder to measure how effective end user training was to make administrators immune to social engineering attacks. The lesson is you need to be compliant, but your entire risk strategy cannot be based on it.
6. Vendor blind spots allowed for Storm. Storm is being copied and improved. The Storm era of botnets is alive and well, nearly two years from when it first appeared. How is this possible? 1. Botnets thrive in the consumer world where there is little money for innovation, a fact Storm and its controllers know. They are making money off of everything from spam to pump-and-dump stock scams. 2. They eat antivirus for breakfast. A lot of the techniques and innovations used by Storm are not new; they are just being leveraged artfully against the blind spots of antivirus certifications and antivirus vendors. 3. Malcode does not need vulnerabilities. Most of the Storm recruitment drives have leveraged social engineering and play off of a holiday or sporting event.
7. Security has grown well past "do it yourself." Technology without strategy is chaos. The security market is often far too focused on the latest hot box or technology. The shear volume of security products and the rate of change has super-saturated most organizations and exceeded their ability to keep up. Organizations realize only a fraction of the capabilities of their existing investments. Furthermore, the cost of the product is often a fraction of the cost of ownership. There was a time when you could "do it yourself." But the simple days of Virus meets Antivirus are long gone. Highly effective organizations are embracing professional and managed security services to extend and augment their in-house expertise. By focusing your in-house expertise on what you know best -- your business -- scale comes from teaming with third-party expertise. This will be increasingly necessary in these tough economic times.
The primary goals for executives over the next few years is to cut cost and reduce complexity. Today we are seeing a massive convergence in the security market. There are only going to be a few large players left and a bunch of smaller players. Will consolidation lead to better efficiency, or will it lead to vendor lock-in?
As executives simplify, they will face many choices. Simply reducing vendors may fail to balance cost, complexity and risk. Vendors have a responsibility in this equation and must rise to the challenge. True risk management can show where to prune solutions, but the key is risk driven, responsible simplification.
Corman is principal security strategist for IBM Internet Security Systems. Network World is an InfoWorld affiliate