Browse archive

Latest news

Fighting cybercrime is on the right track

Google set to upgrade its SSL certs

IT security pros have trouble communicating with executives

Zeus variants are back with a vengeance

Facebook phishers target Fan Pages owners

Killer apps: The performance of networked applications

Is it time to professionalize information security?

Google researcher reveals another Windows 0-day

Twitter finally offers 2-factor authentication

DHS employees' info possibly compromised due to system flaw

Teens are into online sharing, but are also more privacy-aware

The dangers of downloading software from unofficial sites

Microsoft decrypts Skype comms to detect malicious links

Review: Logging and Log Management

Hacking charge stations for electric cars

What keeps information security leaders awake at night

by Mirko Zorz - Tuesday, 28 August 2012.

In this interview, Herbert 'Hugh' Thompson, Program Committee Chair for RSA Conferences and Chief Security Strategist at People Security, talks about challenges faced by information security leaders, privacy issues, social networking, and RSA Conference Europe 2012.

You spend a lot of time talking to information security leaders working in different industries. What keeps them awake at night?

In the field of information security, we often believe that we have a reasonable set of controls in place to manage risk. The truth is that we have very few risk metrics to work with. Our life is an exercise in managing known and unknown risks. It's the unknown risks that leave security leaders sleepless.

In terms of topics: Highly targeted attacks are a very serious problem for large organisations. Attackers have moved from technical exploits to manipulating people. The human element of security has long been ignored in enterprise defense, yet, it is often the starting point for targeted attacks. I think we have a lot of work to do in this area.

Based on your experience, how has the role of the enterprise C-level executive dealing with information security changed with time? What challenges does such an executive face today that haven't been part of the job description a decade ago?

Today's successful C-Level security executive has to be a master of the "soft skills." More than ever, security leaders need to be able to communicate effectively, all the way up to the board, laterally across their organisations, and down to rank and file employees.

We are in a discipline that can't be boiled down to performance metrics on a PowerPoint slide. We operate in an arena of nuance, of uncertainty, and as a result, security executives need to be skilled ambassadors. Security executives also need to have the ability to deal with ambiguity and uncertainty.

Given all the potential privacy and security implications, is there a place for social networking in the modern enterprise? How can a large company expect to battle data leaks when so many employees are inadvertently over-sharing potentially valuable information?

I think that the over-sharing of information on social networking is both a technology problem and an awareness problem. It is a technology problem in the sense that we need to equip employees with easy to use tools and services that will help to preserve their privacy and protect potentially sensitive corporate information when they post to social networking sites.

Technology can help strip geolocation information from photos or context information from an update for example.