HNS MAIN FEED
Saturday, 02:37 EST
- Zero-day vulnerabilities in Firefox extensions discovered
- Three charged with Comcast.net hijacking
- Cloud computing security benefits, risks and recommendations
- Poisoned Google search results
- World’s first wireless USB external hard drive
- A look at Securitybyte & OWASP AppSec Asia Conference 2009
- Biggest threats to federal systems and critical infrastructure
- Are 64-bit Windows inherently safer?
- NSA on cyber attacks and Microsoft collaboration
- New books: ModSecurity, Snow Leopard, social Web applications
- Vulnerability in IBM SolidDB memory caching software
- Two arrested for Zbot Trojan
Q&A: Information assurance
Ravinderpal “Ravi” Sandhu is The University of Texas at San Antonio (UTSA)’s Lutcher Brown distinguished chair in cyber security and the executive director of UTSA’s Institute for Cyber Security. He holds thirteen U.S. patents for security technology and has received more than 30 sponsored research grants. In this interview, he discusses information assurance.
Generally speaking, how important is information assurance for an organization?
The answer will depend to some degree on the nature of the organization. Financial, health and educational organizations, amongst others, have regulatory and legal requirements with respect to information assurance. For military and intelligence agencies mission success can critically depend on information assurance. For most organizations information assurance is probably something that should be of concern at the top levels of management. Somebody at the C level should be charged with looking after this issue. Cyber space of the future will be much richer than most of us can imagine today and will enable innovative applications that the best companies will embrace to their advantage. This will require continual attention to information assurance by top management.
With the current recession and shrinking budgets, what are the most challenging aspects of managing information-related risks in the enterprise? Are there any corners practitioners are allowed to cut?
The pressure to cut costs is immense and I don’t think will completely go away when the economy recovers. Rather than “cutting corners” the key is to do “more with less.” Much of information security practice relates to compliance and internal policy rather than effectiveness. We could probably improve effectiveness and reduce costs by focusing on measures that are effective rather than mandated by so-called best practice. Unfortunately the attackers are getting more sophisticated each month so we have a moving target, where the attackers seem to have all the initiative. Nevertheless I think we can do better with the money we spend on security by spending wiser.
In view of the many data breaches, are companies generally paying attention to information assurance? Can they beat the insider threat?
One thing that data breaches have demonstrated is that simple compliance standards like PCI (for the credit-card industry) provide no guarantee against breaches. While having a industry standard such as PCI is better than nothing, it remains a far cry from actually making our systems safe. Regarding the insider threat I think it can be “contained” rather than “beaten.”
1 | 2 | Next page >>
- Q&A: Wireshark
- Best practices for DNS security
- Spam evolution: September 2009
- Looking back at 2009 through SQL injection goggles
- Q&A: Web application security
