In your opinion, what are the most important things an administrator has to do in order to keep a network secure?
Boy, that's a tough question. As folks working in security, we keep seeing so many areas for improvement, not just one thing. At the same time, I can say one thing comes to mind, right at the top-- disablement. Administrators don't disable enough. Software developers don't disable enough. Security is disablement. Disable network protocols, applications, and features of all kinds that you don't need. Software comes shipped by vendors today with too much enabled, that's one of our biggest problems in security. There's too much focus on getting things working (maximum enablement) and not enough on security, wherein security, by my definition, implies maximum disablement.
What is, in your opinion, the biggest challenge in protecting information at the enterprise level?
Folks in the enterprise still have a difficult time understanding what the statement "security is a business problem" really means and what to do with it. One of the things we tried to do with Mission Critical Security Planner was to provide a quantifiable and actionable way to communicate that. From the topic of selling security, to impact (risk) management, and security quality management, these are all areas that the enterprise struggles with. Security professionals need help pulling together a comprehensive security plan that is both actionable (sufficiently technical) yet fully understandable from a business standpoint by the rest of the organization (up to the CEO). This is the challenge of the enterprise and we worked to address that with the book. The other common problem in the enterprise is the belief that a firewall really provides full protection, so they believe that behind a tight firewall (even one only allowing one port through, say http), they are secure. This is absolutely not true. It's this mind set that is making so much of today's networked-world vulnerable. Security is a systemic challenge, you need to go deep into the organization and apply security. Security practitioners should always remind folks in the organization that security is value, not overhead-- in the book, the "Selling Security" worksheets show specific examples of how to do that.
What are your future plans? Any exciting new projects?
On a personal level, I hope to find some time this year to take a breather and visit more of the world. I've been around Europe and Asia but there are still a number of places to see. The book consumed a great deal of my free time over the past two years, but I'm happy to have written it, it was a great journey. From a technical standpoint, we (NeFrameworks) continue to develop our own suite of products that our security consulting clients can choose to use (or not) as part of the security planning and implementation process. It's exciting to develop useful security products, it's something I enjoy. For example, we are working on an innovative secure content management platform called PortalLock that seamlessly integrates with our other service offerings around identity management (IDValidate) and privacy management.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.