Security Profile: Mike Rothman, Part two

Yesterday you read about Mike’s background and his view on Information security. One major point he makes is that security is not about technology, it is about business. He uses his long experience serving as a security professional to teach others how to avoid doing the same mistakes he did.

In his book “Pragmatic CSO”, Mike covers 12 steps to become the Pragmatic CSO. It is a must-read for security professionals.

Availability

KR: Mike, please elaborate your view on Information security to our readers

MR: Look back to my 5 reasons to secure as described yesterday. That really says it all.

But I should clarify one point, I think of a BUSINESS SYSTEM as a set of technology assets that comprised together automate a business process. That is language that the CEO uses. They think in terms of the manufacturing or the order entry systems. Not the routers, switches, servers, and application software that makes up the system.

KR: So the CSO needs to understand the full complexity of how the technology impacts the business, kind of get the bird view. Why is this so important?

MR: We need to protect the system in its entirety, not just focus on making sure the network or the server is kind of protected. Maintaining Business System Availability is the first reason we secure anything, and it has a pretty key impact on business.

The threats

All Security profiles gives their view on three major challenges business´ meet in 2007. Of course from a security point of view!

KR: Mike, this is the section we have all waited for. What do you believe is the major challenges business´ face in 2007?

MR: Becoming relevant to business leaders - Not to beat a dead horse here, but the problem most information security professionals have is that they can't talk the language of business. I don't promise miracles via the Pragmatic CSO (http://www.pragmaticcso.com), but it does lay out a process to build up credibility with the business leaders and to address these issues/challenges.

KR: So if the security pros do not get their CEOs to see the connection between business and security, the company won’t make the investments necessary to adequately protect their information assets.

MR: Yes. The second threat is protecting applications - The path of least resistance for the bad guys now is through the applications. Tomorrow's security professionals need to understand application architectures, including Web 2.0 technologies and SOA, and how to protect against attack vectors that probably don't exist today.

Brute force denial of service attacks are out of style. The bad guys are perfecting cross-site scripting, AJAX hijacking, and a host of other application oriented attacks that your firewall can't do anything to stop.

KR: Technology evolves and introduces new threats. New threats cater for new countermeasures. This will keep a lot of people busy in the years to come. This is another reason for the Security pros to communicate at the same level as the management.

MR: Finally, leveraging compliance - Most security professionals hate audits and their auditors. It's a shame because the auditor is there to help and has the same goal as you - protect the information assets of the organization.

If we treated the auditors as colleagues and peers, as opposed to enemies - we'd be much better off. The auditors have seen a lot of stuff that many corporate folks only dream about (or read in newsletters like mine - http://securityincite.com/security-incite-rants/daily-incite) and they can help you to understand the risk and fix it.

I know it sounds weird, but a key message of the Pragmatic CSO is that the auditor is your friend, not you enemy.

According to Mike, if you follow his 12-step guide, your job will be so much more fun. But most importantly, you will get your say at the management table. You will be in power. And you will understand the impact your job have on the business – and vice versa.

More on Mike:

The blog

The Pragmatic CSO book & website