Interesting conversation about the security field

I was in an interesting discussion with some high execs (6 of them) and the topic of certification and accreditation/general INFOSEC came up. What worries me is that IT security decisions are being made by these businesses from more of a forced compliance perspective than from a perspective of actual concern. I was talking with them about the C&A process and reasons why security needs to be more funded and manned, but their argument was why?

Literally, they were asking me who cares if a system goes unaccredited? If a system or network will not be turned off and will be given waivers to operate then who cares? I explained the vulnerabilities and the impact of preventing businesses from actually operating. Their agreed upon response was that these were risks that they were willing to take in business. It seems that more and more businesses are willing to take these HUGE risks day in and day out knowing full well of the potential damage that awaits them.

This made me start thinking about the entire security field. I could imagine countless INFOSEC professionals out there working their rears off day in and day out to secure these networks and systems with no actual support. Business managers and CEO’s telling these guys that they are important and that they are a core function of business when in fact they could care less. The less security associated “things” they can deal with the better. These guys literally don’t care about any of it. I kinda understand where they are coming from, they are not in the business of security nor do they ever plan on being. But it makes me wonder where the future of IT security is going. I know that we all understand the importance of IT security, but I have a feeling that this feeling is not shared with the business community. Maybe publically businesses say that they are genuinely concerned and that they take security seriously, but deep down inside they don’t care at all if it does not make money. At the end of the day you can make a million regulations, restrictions, policies, procedures etc…For what? To give people the impression that you actually care about them and their info, when in reality you don’t give a crap until you actually have to, or forced? What are your takes on IT/INFOSEC future?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Cyberscum

Well I am not all doom and gloom for the security profession. There WILL be a time where a MAJOR cyber attack is executed. Once this happens EVERYONE will realize just how much security has been overlooked. I am not talking about credit card fraud or bank accounts, I am talking about full scale cyberwar where infrastruture and capabilities are targeted and exploited. Once this happens "FEAR" will drive security into infinity and beyond. I just hate to be in the security field when this is going to happen

philz1982

Cyberscum wrote: »

I was in an interesting discussion with some high execs (6 of them) and the topic of certification and accreditation/general INFOSEC came up. What worries me is that IT security decisions are being made by these businesses from more of a forced compliance perspective than from a perspective of actual concern. I was talking with them about the C&A process and reasons why security needs to be more funded and manned, but their argument was why?

Literally, they were asking me who cares if a system goes unaccredited? If a system or network will not be turned off and will be given waivers to operate then who cares? I explained the vulnerabilities and the impact of preventing businesses from actually operating. Their agreed upon response was that these were risks that they were willing to take in business. It seems that more and more businesses are willing to take these HUGE risks day in and day out knowing full well of the potential damage that awaits them.

This made me start thinking about the entire security field. I could imagine countless INFOSEC professionals out there working their rears off day in and day out to secure these networks and systems with no actual support. Business managers and CEO’s telling these guys that they are important and that they are a core function of business when in fact they could care less. The less security associated “things” they can deal with the better. These guys literally don’t care about any of it. I kinda understand where they are coming from, they are not in the business of security nor do they ever plan on being. But it makes me wonder where the future of IT security is going. I know that we all understand the importance of IT security, but I have a feeling that this feeling is not shared with the business community. Maybe publically businesses say that they are genuinely concerned and that they take security seriously, but deep down inside they don’t care at all if it does not make money. At the end of the day you can make a million regulations, restrictions, policies, procedures etc…For what? To give people the impression that you actually care about them and their info, when in reality you don’t give a crap until you actually have to, or forced? What are your takes on IT/INFOSEC future?

Just wait until security get's tied to financial statements. If that happens and security becomes a measurable asset you will see a shift in concern. People care about what is measured, security is not a measurable asset at public companies thus no real concern. Cheaper to insure and write off losses then to enforce.

Chivalry1

In my honest opinion I don't think the penalties are strict enough to make a difference for the mis-handling of customer data. These companies walk away with a slap on the wrist. Example the Target incident(s); most of my friends and relatives were back shopping at Target by the next week. The only way to wake these companies up is a class action lawsuit on the next credit card security incident. Then maybe the C-Levels and business suits will start taking notice. Because in this day in age people have short attention spans and a even shorter memory.

colemic

Class-action lawsuit is a pipe dream. Anyone and everyone with a credit/debit card has accepted the fine print, which essentially says 'You can't sue us in case of fraud or theft.'

Cyberscum

colemic wrote: »

Class-action lawsuit is a pipe dream. Anyone and everyone with a credit/debit card has accepted the fine print, which essentially says 'You can't sue us in case of fraud or theft.'

Right, but the mishandling of users information is another story. I have seen class action suits against credit card companies and against merchants. It all depends on who is at fault for whatever kind of breach. Here is one of the more recent ones that includes 43 states.

http://finance.yahoo.com/news/data-breach-alert-rosen-law-143637921.html