In many ways my challenges mirror very closely those of my customers. How do I interpret mounting regulatory requirements and translate them into real-world processes that satisfy the auditors while making my network secure? Security and compliance should follow the same path, but the ambiguous nature of regulations often forces CIOs to choose one or over the other. Many of the customers I talk to find that all their resources are tied up in implementing compliance controls only useful during an audit, but fail to add much to practical security.
What do you see your customers most worried about?
We spent years helping people lock down their networks and make them more resilient to network worms and attacks. We still do, but availability anxiety has been replaced with liability anxiety. There are two classes of customers we work with.
IT managers that always cared about security and improved their posture every year and are now worried about being able to prove that they show enough due care as to not be exposed to a lawsuit or punitive action, should a breach happen in the future. That requires more than just an enthusiastic security effort, it also requires processes and workflow management tools. The shops that have always been good about security are now becoming more mature about how they secure their business.
Then there are businesses that, for whatever reason, have not spent as much time on security as they should have in the past and are playing catch up. Sometimes it’s because they grew too fast. When a business grows, security is often the last consideration. More often than not, these IT managers wanted to do the right thing, but could not get the budget approved. These customers are universally worried about getting the most comprehensive solution they can find for the money.
Surprisingly, we do not see that our customers are worried about a specific threat or risk vector. Web application security is gaining a lot of attention, as it should, but I sense that its being propelled by the PCI standard, which made web security assessments mandatory this year. I think that’s a huge step forward.
In your opinion, how much resources should an SMB deploy when it comes to threat management?
As few as possible. If you listen to industry experts and press, you get an idea that IT leaders must push their businesses managers to allocate a larger portion of their IT budget for threat management and security in general. I have a somewhat unusual position on that – I think most businesses already allocate enough budget to security efforts. Now, do they get a real return for their money? Not even close.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.