You spend a lot of time talking to information security leaders working in different industries. What keeps them awake at night?
In the field of information security, we often believe that we have a reasonable set of controls in place to manage risk. The truth is that we have very few risk metrics to work with. Our life is an exercise in managing known and unknown risks. It's the unknown risks that leave security leaders sleepless.
In terms of topics: Highly targeted attacks are a very serious problem for large organisations. Attackers have moved from technical exploits to manipulating people. The human element of security has long been ignored in enterprise defense, yet, it is often the starting point for targeted attacks. I think we have a lot of work to do in this area.
Based on your experience, how has the role of the enterprise C-level executive dealing with information security changed with time? What challenges does such an executive face today that haven't been part of the job description a decade ago?
Today's successful C-Level security executive has to be a master of the "soft skills." More than ever, security leaders need to be able to communicate effectively, all the way up to the board, laterally across their organisations, and down to rank and file employees.
We are in a discipline that can't be boiled down to performance metrics on a PowerPoint slide. We operate in an arena of nuance, of uncertainty, and as a result, security executives need to be skilled ambassadors. Security executives also need to have the ability to deal with ambiguity and uncertainty.
Given all the potential privacy and security implications, is there a place for social networking in the modern enterprise? How can a large company expect to battle data leaks when so many employees are inadvertently over-sharing potentially valuable information?
I think that the over-sharing of information on social networking is both a technology problem and an awareness problem. It is a technology problem in the sense that we need to equip employees with easy to use tools and services that will help to preserve their privacy and protect potentially sensitive corporate information when they post to social networking sites.
Technology can help strip geolocation information from photos or context information from an update for example.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.