Some infosec pros need to kick themselves, panel told

Canadian infosec pros aren’t doing their jobs if they spend more time on buying technology than implementing simple but effective measures.

That was the consensus of their peers, who gave IT security managers a rough ride at a panel discussion Thursday on emerging security issues.

“Security professionals in general don’t do a great job of creating metrics that’s easy for human beings to consume, said Ben Sapiro, senior director, security privacy and compliance at Vancouver-based Vision Critical Communications Inc., a cloud-based platform for building customer communities.

Too often they talk in technical terms business managers don’t understand, he said. “You don’t have to achieve perfect, you just have to achieve good enough” when explaining the security impact of a decision.

Ideally what CISOs should aim for its “pragmatic decision-making by the business with the tool and the guidance provided by the security people.”

Sapiro was part of a panel assembled for reporters by security consulting and managed security provider Scalar Decisions Inc. as the company announced its new 3,000 sq. foot security operations centre in Toronto. That’s more than three times the size of the previous SOC.

Others on the panel were Marc LeCuyer, area vice-president for Canada at RSA Security, Rafael Etges, executive advisor for risk, cybersecurity and compliance at Toronto’s Strata Advisory Group, Benjamin Boi-Doku, co-founder of the EOSENSA risk and advisory services firm was just bought by Scalar, and Scalar CTO Ryan Wilson.

Boi-Doku had hopes that the so-called next generation CISO will be able to talk to the business side of the organization in terms they understand. But, he added, “a lot of CISOs I encounter aren’t able to talk in business in that language.”

They certainly didn’t show much sympathy for their peers at times. LeCuyer said there are simple things CISOs can do to prevent or slow attackers, such as vulnerability risk management and security awareness that don’t involve spending money on technology.

“I work with a lot of large organizations in Canada and you have no idea — from the CEO right down to the security people they’re still clicking on phishing emails,” he complained.

Sapiro argued that because organizations have a more “permissive” attitude in allowing employees use technology IT security pros “are forced to buy more and more sophisticated technologies to account for each of the edge cases our users stumble against.”

A lot of organizations focus on zero day attacks, said Wilson, but 99.9 per cent of successful breaches last year were due to vulnerabilities that had existed on systems for over a year.  “We have an IT hygiene problem first to fix before we get to the sophisticated advanced attacks,” he said.

Etges argued that for a CISO pros to have an impact in organizations there has to be a “culture change” and talk to management about risk management. “If you’re just supplying technology you’re going to have a very short term effect – maybe that’s what you want, maybe that’s what you need to  make a good convincing business case for the CFO.”

Asked by a reporter why infosec pros aren’t doing better, LeCuyer blamed “budgeting inertia” — which he described as defending the stack of technology they’ve bought.

“To me it’s a spending problem. When they sit down I don’t think they’re looking at ‘Let’s step away from technology and the security operations centre for five minutes and look at how it’s actually happening’ … We love tools, we like gadgets.”

Asked what will change that attitude, Sapiro replied, “We need not give ourselves a kick.”

At the same time some in the group had sympathy for the CISO. RSA’s LeCruyer, for example, said vendors have done a good job of “confusing our customers” about traditional protection security tools. The “next-gen anything” is available, he said.

“I do believe from the heart that vendors are stepping up and admitting there are gaps (in their products) and are investing R&D in that space. There are emerging technologies in detection and response solutions, he added, but “our customers need to step up and spend there… it is a spending issue for me, less of ‘Are we doing the right things.’”

Ryan agreed, saying customers aren’t buying “leading edge” technologies that can stop threats.

On the other hand, Sapiro recalled doing research with Etges several years ago that suggested when CISOs have bigger budgets they didn’t necessarily get better outcomes — although he said the research indicated that instead of buying newer technology they bought “more of the same.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now