Tackling the Pressing One Handed Security Topics of the Day

I had some shoulder surgery on Thursday so I will ease back into the work flow with some short, typeable-with-one-hand subjects.

• In past blogs we have talked about the ecosystem between Microsoft and the antivirus vendors. The “circle of life” is roughly: MS releases operating systems and software, software has flaws, cyber criminals exploit flaws, people buy AV software. In a recent article in Canada.Com a writer puts some numbers on the affect of an OS release for McAfee and Symantec. Of course, the writer does not single out security related spend so it is very non-specific. But it does put some real numbers into the context of enterprise valuation tied to OS releases and the “positive impact on the entire PC value chain.” There is nothing inherently wrong with such ecosystems and they evolve quite naturally in business. But sometimes protection of a comfortable, mutually beneficial ecosystem can slow innovation, and I am of the opinion that this is the case with IT security at times.
• A new study shows CEO’s and their management team often disagree on key security issues and the threats to the organization. In short , CEOs do not perceive their organizations as vulnerable, while the next level execs see a different picture. We are not talking wide layers of management between these two views as many of the senior execs report directly to the CEO. There is clearly a disconnect and false sense of security on behalf of the CEO, which leads to obvious issues in funding security initiatives. It would seem we still have some way to go in educating CEOs on the threat level and the potential impact to the organization.
• Cyber criminals are doing brisk business with malicious sites aimed at those looking to download pirated copies of the new Harry Potter movie. A correlation between Harry Potter fans and computer geeks – who would have predicted?
• I have led a charmed life and have not had surgery since I was six for tonsils (I never got ice cream, BTW – someone owes me because they always promise ice cream when you get your tonsils out). Prior to the surgery, I cannot tell you the number of times my identity was verified by someone who would look on the information on my bracelet and then ask me personally identifying questions. The number on my bracelet was continually cross matched to the forms. I even had to initial the affected shoulder with the Doctor. Such thorough multi-factor authentication was impressive and laudatory, but threat of malpractice is a major driver to such discipline. This takes us back to the cold hard fact that any security compliance is only as effective as the teeth behind it. Our CEO has been saying as much about the White House Cyber Security Policy and the need for enforcement teeth for it to succeed. What I saw at the hospital is policy driven by real monetary dynamics (avoiding malpractice) that is given high priority from the top.