Cracking the secrecy culture

Alex Kayle
By Alex Kayle, Senior portals journalist
Johannesburg, 19 May 2009

Information security is facing a crisis and cyber criminals are reaping the rewards, says senior security program manager at Microsoft, Adam Shostack.

Shoshack, co-author of 'The New School of Information Security' and founder of the consultancy company Informed Security, will speak at next week's ITWeb Security Summit at Vodaworld in Midrand.

He says upheaval in the information security industry involves a slowly unfolding crisis of credibility, as security technologists often have limited credibility with their managers and peers.

“We have a crisis of credibility because we lack data about outcomes. We want to justify our requests, but we can't. We can't say organisations who bought this product experienced 50% fewer break-ins than companies who bought that product,” he says.

“What companies should be doing is asking hard questions of those around them: Why do you think this is secure? How are you measuring that? Why do you claim that's a best practice? Have you tested it? What does it cost to implement, and what does it cost to operate? And at the same time, being ready to answer these questions.”

Out in the open

ITWeb Security Summit 2009

More information about the ITWeb Security Summit 2009 conference, which takes place from 26 to 28 May 2009 at Vodaworld is available online here.

Shostack calls for companies to become more transparent. He points out that US legislation is forcing companies to become more open by driving breach disclosure laws. This requires companies to disclose certain breaches of control around private data, credit card numbers, social security or other national identification numbers and medical information.

Shostack says chief information officers need to look at security in a holistic way and he will encourage people attending the Security Summit to talk to one another and be consistent in the advice they give their employees and customers about security.

“I think the first challenge is to overcome our culture of secrecy,“ he says. “In the US, the intelligence agencies are talking about moving from 'need to know' to 'need to share'. There's a lesson there.”

According to Shostack, the second challenge is to marry the very technical end of security with the realities of human behaviour.

“Third is to understand that as long as some people have more than others, or some things are unique and rare, we're likely to have crime; so security is a never-ending battle,” he concludes.

Related stories:
Moving into an information world
Hackers target security vulnerabilities
Information warfare rages
Fighting fire with fire