Thankfully we have evolved beyond the question "Is information security a problem," which was the first major hurdle. Now we are stuck on the concept that information security is a person that comes in to fix our security issues when we need help. All to often, the need for security is triggered by a limited set of circumstances. "Adding a new WAN link? Giving access to remove users? Suring the net? Let's call in the Security Experts first". So the problem is such:
Security cannot be isolated to such simplistic triggering events as is commonly recognized by executive and management staff. But how do we train the Executives, Managers, and Technical staff to see beyond this and to know when and where security issues need attention.
The primary goal of my book is to train people how to "think" in terms of security and how to be better equipped to recognize security issues. Security will continue to be a problem if only "security professionals" recognize and address security issues. To truly be secure, every manager, director, and technician in an organization needs to have some understanding of basic security principles.
What do you think about the full disclosure of vulnerabilities?
As the arguments rage back and forth with the pros and cons of disclosing information on vulnerabilities, a few ideas have been widely accepted.
1. Vendors are more incensed to write, "Bug free code" and to respond to exposures and exploits if they are publicly known.
2. Making the exposure publicly known opens a window of opportunity for every script-kiddy in the world to use it to their advantage.
I agree that the best solutions may involve a time-delayed response where exposures / exploits are reported to a central agency. I also agree that that agency should be responsible for contacting the related parties (usually vendors), who are then given X days to develop a patch or make their disclosure before it becomes public knowledge. This is in accordance with the chapter on "Secretless Security" and the idea that nothing can be assumed secret or unknown to the "bad-guys", and pretending it is a secret can only work against us. This is also highly incenting to vendors, since those who have not responded in this type of scenario, will have greatly magnified the proverbial "egg on their face."
I see a lot of arguments for against this type of approach and I would certainly not be so fixed as to say the solution is this simple. It is far too big of a topic to provide a simple "Yes I agree" or "no I don't" answer.
What is, in your opinion, the biggest challenge in protecting information at the enterprise level?
The biggest challenge in Information Security Risk Management is at the Enterprise Scale. Organizations are finding it difficult to get their hands around security when it has so many dimensions and possibilities. Medium and large companies have spent the past few years building an arsenal of tools and technologies to solve point-in-time-problems (one series of problem = one tool/solution). But now organizations have to consider so many vulnerabilities & exposures, so many tools & technologies, and so many regulations & standards, that such tunnel vision is no longer possible. Organizations are challenged to adopt information security risk management practices that span from the business requirements, to the governing regulations, to the technical details. And all this needs to be accomplished in the midst of shrinking budgets and increasing threats from the outside world.
What are your future plans? Any exciting new projects?