Don’t Ignore the “Paranoid” Security Guy, Part 2

by Taher Elgamal
Chief Security Officer

(To read Part 1, click here.)

This is going to continue to be an arms race for a long time.

I don’t think society will actually change. People in important positions don’t even listen to financial experts, let alone IT security experts. And I’m willing to bet money that there is another financial problem that somebody has warned us about, and that nobody is paying attention to, because of the cost. People are hesitant to take action with anything that involves cost. I’m not saying you should spend money on a whim. But there are certainly a collection of experts in every single one of these technical fields that can make a judgment call as to how much risk a system is willing to take and when we must draw the line. And right now, we’re drawing the line so far out that a lot of criminals can gain a great deal of unauthorized access, and the level of fraud online carried out today is indicative of this.

The real issue is a fundamental lack of imagination on the part of the decision makers and CEOs. “Why am I going to spend all this money?” the CEO asks. The CEO waits until a regulation comes up. When the government actually speaks up and sticks a regulation to a certain type of company for something, the CEO puts forth the effort to get there. The problem with mere regulation—and this is how the entire system works—is that it doesn’t solve the real problem. It just makes people compliant. It does not make sure that the wrong people don’t gain unauthorized access, it just makes sure that the right people are acting just a little bit more safely. It’s true, I’ll admit, it is a little bit better to be compliant with all these regulations. But it does not address the real issue.

Finally, consider this:

If the concern over cyber issues is now an integral part of business, if it’s no longer a back office thing, if it’s now front and center, in the middle of everything, then cybersecurity people should be involved in the decision-making process, not just dismissed as back-office techies. That implies more training for the cybersecurity people to both be able to evaluate risk and to understand the particular business needs that the enterprise faces. Are you ready for that?

Leave a comment

No comments yet.

Comments RSS TrackBack Identifier URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s