Before joining Criston, he was Chief Executive Officer at MobileWay and Vice-president of marketing at iCelerate.
What do you see as the biggest security threats today?
In IT security, the biggest "threat" has always been the end user. While IT security teams are fighting everyday to keep the data safe by isolating the network with latest security technology, end user will be the one that will "forget" an opened window! Today, users have become more and more powerful and their development skills are growing.
The increasing complexity of the client systems they require, as a result of their global distribution and heterogeneity, is in itself more dangerous than any single threat.
In the past, it was possible to protect client systems manually, on an ad-hoc basis. But now, with their considerable size and scope and the need to make more frequent upgrades for operational or security requirements, any client systems that is not proactively and consistently monitored and managed is in danger.
How important is patch analysis in the overall security architecture?
Contrary to antivirus that defends the systems when an attack occurs, patch management allows a proactive security policy: cover the breach before the attack happens.
This being said, the cost of patching is very high, and therefore IT managers should not adopt a "deploy all patches on all systems" approach. Proper analysis is needed to determine which patch is required on what system, and this is what Vulnerability Management brings.
What is, in your opinion, the biggest challenge in protecting sensitive information at the enterprise level?
The biggest challenge is to control "ALL" the flow of incoming/outgoing data from the IT system without blocking end-user productivity. The threats comes from remote access or data corruption vulnerabilities, and third party devices that are pluged to the network (nomad laptop, USB key etc.), and it is sometimes difficult to know which flow is regular business and which is not.
In your opinion, can one really calculate security ROI?
Security ROI is obviously difficult to calculate since it relates to how much one stands to lose rather than how much one will gain. IT disasters costs are easy to measure after a security breach, but the real trick is to balance the IT security investments against the risk exposure.
To evaluate the security level against the threats, you need to evaluate the risks against the IT security investment, and consider more than the sole licence cost of this investment: does it require IT staff training? How long is the deployment time? How many man-hours does it require to be implemented? Does it include paid-for functionalities that you cannot use? Does it require additional application re-configuring? Often, our clients tell us that their first problem is not to evaluate the cost, but their exact need versus their infrastructure.
Based on the feedback you get from your clients, are there more internal or external security breaches?
External security breaches can be easily covered with a well configured firewall. Internal breaches represent more and more risk, as they can be exploited from worms, spywares, viruses that are inserted into the company through e-mails, USB keys, Wi-Fi, laptops etc. Moreover, targeted attacks are increasingly common, and most often exploit internal breaches.