Undercover: A Painful Lack of Security
Here is another good article. The gist of the aticle is that a Security Executive is having a hard time finding a job. He interviewed with a CIO and had a good feeling. Eventually an executive with an engineering background was hired. I know that security is overlooked and put on the back burner when budget cuts hit home. However I agree that an executive with a engineering background was hired as the CSO. I.T. is in the Engineering and Operations business PERIOD!!!! Security is to support that business by following the CIA triad.
Let's examine the CIA triad. First we have Confidentiality, Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems. Next up Integrity, In information security, integrity means that data cannot be modified without authorization. Lastly and most importantly, Availability. For any information system to serve its purpose, the information must be available when it is needed.
In my experience, many security professionals forget about availability. Hence the need to hire someone with an engineering background. Engineers think outside the box, they find mitigation strategies versus releasing untested patches and shutting down critical systems. If security were a CI duo, I can hire people to sit on a SOC (security operations center) for about 30k a year and I would not need a CSO. However given the importance of security, there needs to be a security officer that is a partner in the business of I.T. --not sand in the gears!
Let's examine the CIA triad. First we have Confidentiality, Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems. Next up Integrity, In information security, integrity means that data cannot be modified without authorization. Lastly and most importantly, Availability. For any information system to serve its purpose, the information must be available when it is needed.
In my experience, many security professionals forget about availability. Hence the need to hire someone with an engineering background. Engineers think outside the box, they find mitigation strategies versus releasing untested patches and shutting down critical systems. If security were a CI duo, I can hire people to sit on a SOC (security operations center) for about 30k a year and I would not need a CSO. However given the importance of security, there needs to be a security officer that is a partner in the business of I.T. --not sand in the gears!
Comments