Home > IT Blogs > Security Bytes > Is it time for security managers to get tough?
« Analyst calls Barracuda-Purewire deal proof of cloud dominance
A good business model: Symantec reports on “scareware” »
» VIEW ALL POSTS Oct 15 2009   6:18PM GMT

Is it time for security managers to get tough?



Posted by: Marcia Savage

With so many of the same security problems plaguing organizations year after year, it’s time to get tough, a health care security executive suggested Tuesday during a panel discussion at the Cornerstones of Trust 2009 conference in Foster City, Calif.

Connie Sadler, information security officer at Lucile Packard Children’s Hospital at Stanford, said some security challenges from 20 years ago continue today. Security managers started out as tough but became less so as systems became more distributed and employees did their own thing, she said.

“I think we’ve lost control,” Sadler said, suggesting a range of corrective steps, including whitelisting, better access controls, and punitive action such as fines.

“There’s no consequence for having a bad password,” she said. “Maybe there’s needs to be a consequence for not doing basic things…We need to introduce more discipline into our environment.”

But responding to a question from the audience, Sadler acknowledged that the tough approach needs to be balanced. “Don’t we need both the carrot and the stick?” asked security luminary Donn Parker.

“There does need to be a balance,” Sadler agreed. “People shy away from doing the right thing because they don’t have the knowledge… It comes back to us. We need to train people.”

The annual Cornerstones of Trust is co-hosted by ISSA’s Silicon Valley and San Francisco chapters and San Francisco Bay Area InfraGard.

  Bookmark and Share     Comment     RSS Feed     Email a friend

Comment on this Post


You must be logged-in to post a comment. Log-in/Register

MichaelSeese  |   Oct 16 2009   2:31AM GMT

I sometimes hate to say this out loud, because it sounds so draconian….but I really believe that if someone blatantly violates certain corporate security policies, he or she should be fired. I’m not talking about re-using a password; I’m probably not even talking about writing your password on a Post-It and sticking it on your monitor. But if someone shares his or her password with the person in the next cube and a breach occurs, or if he or she leaves a laptop on the front seat of the car, outside, overnight, and it gets stolen (which happened at my corporation), that person needs to be shown the door.

Once “heads start rolling,” others will take note and pay attention the next time there is a “security reminder” posted to the corporate intranet.

– Michael Seese, author of Scrappy Information Security


 

DanD  |   Oct 16 2009   6:57PM GMT

SOX had Lee Nails. PCI has TEETH! I’m currently dealing with IT managers who are resisting tightening security to meet PCI requirements. Then when they get the threat of non-compliance and costing their company $millions in additional credit card charges, they get religion. I don’t think change will happen till the dollar risk is greater than the fear of minor disconveniencefor a VIP and more dangerous to a manager/directors career. Every manager in the US talks the CHANGE GAME and laugh about their stolen cheese, but money walks the walk. Sorry if i got a little “CHEESY”.


 
Visit Information Security Home |   Information Security News  |  Information Security White Papers  |  Information Security Videos  |  Information Security Resources