I agree that the best solutions may involve a time-delayed response where exposures / exploits are reported to a central agency. I also agree that that agency should be responsible for contacting the related parties (usually vendors), who are then given X days to develop a patch or make their disclosure before it becomes public knowledge. This is in accordance with the chapter on "Secretless Security" and the idea that nothing can be assumed secret or unknown to the "bad-guys", and pretending it is a secret can only work against us. This is also highly incenting to vendors, since those who have not responded in this type of scenario, will have greatly magnified the proverbial "egg on their face."

I see a lot of arguments for against this type of approach and I would certainly not be so fixed as to say the solution is this simple. It is far too big of a topic to provide a simple "Yes I agree" or "no I don't" answer.

What is, in your opinion, the biggest challenge in protecting information at the enterprise level?


The biggest challenge in Information Security Risk Management is at the Enterprise Scale. Organizations are finding it difficult to get their hands around security when it has so many dimensions and possibilities. Medium and large companies have spent the past few years building an arsenal of tools and technologies to solve point-in-time-problems (one series of problem = one tool/solution). But now organizations have to consider so many vulnerabilities & exposures, so many tools & technologies, and so many regulations & standards, that such tunnel vision is no longer possible. Organizations are challenged to adopt information security risk management practices that span from the business requirements, to the governing regulations, to the technical details. And all this needs to be accomplished in the midst of shrinking budgets and increasing threats from the outside world.

What are your future plans? Any exciting new projects?

I am extremely excited about a new technology we have developed at RelSec. Over the past several years we have been working to develop RSAM (Relational Security Assessment Manager), which provides clients and consulting companies with an open and adaptable framework for assessing/managing risks and safeguards in a large-scale manner. The capabilities of this technology are tremendous, far beyond my expectations from the security world. I imagine this will be the standard security tool for assessment and risk management in the years to come, and I am excited to be involved with it from the start.