While these are thoughtful arguments, challenge 2 falls short. The common but flawed idea voiced by many is the need to “get ahead” of the bad actors. The reality is that security, and law enforcement, have been behind, or responsive, to the bad actors of the world since the first caveman raised a rock and forcibly took more meat from the hunt than otherwise entitled. Cyber security (or all security for that matter) is behind the bad actors and will continue to be but, and it is a big BUT, the information security community has been able to find ways to stop the piling on and have successfully mitigated billions in dollars in risks for our employers/customers.
The greater failure of information security (and maybe its too heavy handed to blame information security and not government and commercial leadership) is not in getting ahead of the bad actors but being part of the silent enabling population who through failure to adopt patching processes, spam filters, malware detection and eradication,... in other words a reasonable and robust information based security infrastructure, allow the repeated exploitation of themselves, their customers, and the larger cyber space. Not staying abreast of the bad actors is the larger problem. Getting ahead of the bad actors will occur and but realistically that is not where the large breaches and losses are occurring.
Crime is crime. Since that first caveman committed the first crime, all that’s changed is the weapon. In what universe has law enforcement gotten 'ahead' of the bad actors? Building bullet proof shields around bank tellers, installing cameras, hiring guards, using die packs,... all stopped previously identifiable methods of robbing banks. They did not 'get ahead' of the bank robbers. The robbers adapted with new techniques or went and robbed banks where these precautions had not been put in place. Why do we continually want to treat cyber crime as different?
Our national leadership, void since the beginning of this debate over three decades ago, needs to step up and address how to cajole, bribe, or mandate the deployment and implementation of EXISTING proven policies, technology, and processes to stop the bad guys. As that is put in place we should be looking at “what’s next” but lets fix the sucking chest wound before we address the high cholesterol of our patient.
This Profound Moment in Cybersecurity, and Three Challenges that Frame It
Richard Power looks at the big picture and how security must move forward
» View Article
While these are thoughtful arguments, challenge 2 falls short. The common but flawed idea voiced by many is the need to “get ahead” of the bad actors. The reality is that security, and law enforcement, have been behind, or responsive, to the bad actors of the world since the first caveman raised a rock and forcibly took more meat from the hunt than otherwise entitled. Cyber security (or all security for that matter) is behind the bad actors and will continue to be but, and it is a big BUT, the information security community has been able to find ways to stop the piling on and have successfully mitigated billions in dollars in risks for our employers/customers.
The greater failure of information security (and maybe its too heavy handed to blame information security and not government and commercial leadership) is not in getting ahead of the bad actors but being part of the silent enabling population who through failure to adopt patching processes, spam filters, malware detection and eradication,... in other words a reasonable and robust information based security infrastructure, allow the repeated exploitation of themselves, their customers, and the larger cyber space. Not staying abreast of the bad actors is the larger problem. Getting ahead of the bad actors will occur and but realistically that is not where the large breaches and losses are occurring.
Crime is crime. Since that first caveman committed the first crime, all that’s changed is the weapon. In what universe has law enforcement gotten 'ahead' of the bad actors? Building bullet proof shields around bank tellers, installing cameras, hiring guards, using die packs,... all stopped previously identifiable methods of robbing banks. They did not 'get ahead' of the bank robbers. The robbers adapted with new techniques or went and robbed banks where these precautions had not been put in place. Why do we continually want to treat cyber crime as different?
Our national leadership, void since the beginning of this debate over three decades ago, needs to step up and address how to cajole, bribe, or mandate the deployment and implementation of EXISTING proven policies, technology, and processes to stop the bad guys. As that is put in place we should be looking at “what’s next” but lets fix the sucking chest wound before we address the high cholesterol of our patient.
Dirty Tricks: Social Engineers' Favorite Pickup Lines
Tabletop Exercises: 3 Sample Scenarios
19 Ways to Build Physical Security Into Your Data Center
Get instant notifications when whitepapers, webcasts and case studies are added to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
» More blogs
CSO Perspectives
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
Trend Micro ranked #1 against real-world malware. Read more.
64-page prescriptive guide to security, compliance, and IT operations.
Removing Barriers To Better Server Virtualization Efficiency
Mining for Gold: Cybercrime Prevention and the Role of Log Management
The Executive Guide to Data Loss Prevention
Organizations can spend up to 50% more on compliance efforts than necessary.
White Paper: A Security Blueprint Delivered From within the Network
Read the RSA report: Security for Business Innovation
Upgrading to VMware vSphere with vWire
Explore the increasing importance of log management as cybercrime threats grow.
The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
Implementing Best Practices for Web 2.0 Security
Five Ways to Reduce Your IT Audit Burden
THE IDG NETWORK