Online fraud remains a major concern for chief security officers, but few feel their companies are doing enough to tackle the problem.
More than 85 IT security leaders discussed these and other issues during a CSO Interchange meeting held during the Infosecurity Conference in New York recently.
The Interchange was established by Howard Schmidt, chief security strategist for eBay, and Philippe Courtot, CEO of Qualys, to provide an opportunity for CSOs from various organizations to share ideas and lessons on IT security issues.
Even though attendees noted online fraud as a top worry, some 54 percent admitted that their companies have yet to deploy solutions to tackle such frequently occurring attacks like phishing.
Small budgets undoubtedly have something to do with this failure. Indeed, over 80 percent of CSOs said their security programs are still under-funded. And while 61 percent noted that security budgets have increased slightly over the past year, most security executives still feel they are not getting enough to meet various security demands.
And these demands run the gamut, with worms, viruses, trojans, regulatory compliance and data privacy noted alongside online fraud as the main security issues to contend with this year.
"I think there's a little cost-cutting [this] year," said one CSO from an educational organization, who wished to remain anonymous.
In an attempt to get around this, he and other CSOs try to relate security spending to business needs. Often, however, this can be difficult, since business leaders who simply want daily operations kept running "feel that firewalls are the magic key for everything," as a CSO from a large financial organization put it.
Still, building a business case for security is the main way to earmark additional funding for security programs, said Joyce Brocaglia, founder of recruiting firm Alta Associates who spoke at the event. "Your job exists to enable and maintain the business," she told the attendees.
Jamie Chanaga, CISO at Geisinger Health Systems, fully grasps the concept of security as a business enabler, given his work within the healthcare arena, where insecure software could prove fatal – literally.
During a CSO panel discussion that took place on another day during the Infosecurity Conference, he pointed out the problems that hospitals face patching MRI machines and other critical medical equipment connected to the IT infrastructure. Although such systems might not run embedded Windows, hospitals must be methodical in patching them due to FDA regulations and concerns over possible negative effects of the patch.
Along with Chanaga, Larry Brock, the CISO of Dupont, Christopher Hoff, the senior director for enterprise security at giant credit union Wescorp, Mary Ann Davidson, the CSO at Oracle, and Qualys's CTO Gerhard Eschelbeck, were bombarded with questions from the panel's moderator Pete Lindstrom, research director of Spire Security, about their efforts to keep exploits at bay.
Chanaga, Brock and Hoff commented that network segmentation nowadays played a big role in their security strategies. The concept of vulnerability shielding, which temporarily protects the application while a patch is produced, was also discussed.
Chanaga has also taken steps to make software vendors responsible for the security soundness of their products.
"We provide vendors with a system's requirement document that not only encompasses general IT requirements, but has a specific section on IT security requirements (such as audit trails for user access, network connectivity and security, application and system security such as password enforcement, and so on)," he later explained.
"Working with vendors in this collaborative manner allows us to have vendors either secure their products before bringing them into our production environment or allows us to place our own internal controls to mitigate security deficiencies. It is all about business need, security requirements and collaboration by all involved."
The wide-ranging debate among panel members touched on the subject of vendor liability and whether there should be laws in the U.S. to protect companies against insecure software, but in the end, the consensus was there was no need for regulations.
And although patching strategies for individual businesses dominated much of the talk, Oracle's decision to issue patches only every 90 days also received some focus, along with the cost of making vendor software totally secure. To the latter point, Dupont's Brock said that in certain situations his company would pay more for more secure software.
On the last day of the conference, it was standing room only at another session entitled 'Best practices for securing wireless technologies.' Very few of the companies represented by audience members had implemented wireless networks, given grave doubts about securing those networks.
The panel, which included representatives from Black Hat, Nokia Enterprise Solutions, SonicWALL, AirDefense and Hewlett-Packard's ProCurve Networking Business, tried hard to convince the attendees that securing a wireless network was similar to securing a wired one. However, the audience made it clear they needed more convincing yet.