There is little innovation in the security industry and the same advice shows up ad nauseum. Take this article at Dark Reading, What Every CFO Should Know About Security Breaches. is a recent example.
TYSONS CORNER, VA. — CEOs and CIOs have gotten religion about cybersecurity, but what about those who hold the purse strings? Experts say they need a hard lesson, too.
Three clichés in a row and we haven’t even cleared the first paragraph. It is followed by the same kinds of advice directed, supposedly at CFO’s who we all know show up in force at security conferences to be lectured to by “experts.”
Let’s look at some of the advice our panelists hand out. Quoting one of those
Pokemon Ponemon Institute estimates with big scary numbers,
“What that says is that it pays to make the right [security] decisions from a financial perspective.”
Thank you genius, there is almost no CFO on the planet who endeavors to do that. Next up this joke,
“In some ways, security is IT’s revenge on the finance department — they say, ‘You don’t understand what we do, so we’ll spend your money however we like,” joked Kevin Mandia, CEO of security forensics firm Mandiant.
Perfect, that should get a larger budget for next year. Then this,
Michelle Schafer, vice president of the security practice at public relations firm Merritt Group, said companies should take the time to develop a breach response program — and rehearse various scenarios — before a compromise occurs.
Glad they brought you along Michelle. No CFO has ever heard of an incident response team. One more precious nugget unearthed from the finest minds,
“It’s so easy to go off spending money on security without knowing what you’re doing,” Moodispaw said. “We’ve seen companies look at firewalls and say, ‘Hey, if one is good, then we should buy five or six.’ You need to counsel your organizations to think twice about buying the latest, hottest things and focus on what works.”
What works has been known for a long time too. If they are buying crap they don’t need to entertain the infosec team, fire the manager. The odd thing about this article is the total absence of any quotes from the “CFO’s” who were the target of this panel. I suppose that is because if you interviewed them you find an accounts payable analyst who went to get out of the office instead of a CFO. I sat in the audience on a panel discussion that was aimed at CEO’s out of curiosity years ago. Only two hands went up of the twenty or so people there when they asked who was a CEO. One left before the panel was over, talking on his (then) status signaling Blackberry as he walked out of the room.
There appear to be only two kinds of security articles, the recycled advice like this one and, of course, the “they just don’t get it” story. We have reached the point where we should be writing better software so a casual user can click on any link or open any file without fear of surreptitious installation of malware. We haven’t; we won’t because time to market and return on investment will always predominate.