Enterprise Services
Showing results for 
Search instead for 
Do you mean 

Are your frameworks secure enough to combat criminal minds?

Nadhan on ‎02-25-2013 01:28 PM

Enterprises view the adoption of standardized security frameworks as a panacea, addressing the challenges posed by our adversaries in the world of security. But are these security frameworks adequate? Do they inherently combat innovative criminal minds, which are constantly at work planning the next wave of attacks? Art Gilliland, Senior Vice President, and General Manager, HP Software Enterprise Security Products, says these frameworks are not only inadequate, but also set a low bar for enterprises, giving the enterprise a false sense of security. This message comes across loud and clear in Gilliland’s preview of his session on "Criminal Education: Lessons from the Criminals and their Methods" at the 2013 RSA Conference.


Security Criminal Mind.png

Gilliland’s assertion may surprise some, and be a wake-up call for others. Here is my characterization of the key points that he makes in this preview.


1. New market for data. According to the principle of Infonomics, originated by Gartner VP, Doug Laney, we must proactively attribute value with raw data. There is a stock exchange for data out there, asserts Jessica Leber in the MIT Technology Review – a market effectively tapped into by adversaries in selling data at a premium to interested predators.


2. Opportunistic innovation. Enterprises have broadcast their compliance to regulatory policies through adopted standards, such as ISO and PCI. Adversaries closely monitor these frameworks and dynamically invest in innovations around their inherent weaknesses.


3. Checkbox security. Security professionals use these frameworks as a way to guide the work done and the investments made. Initiatives to comply with these frameworks serve as an excellent trigger to obtain leadership support, based on failed audits. But in doing so, business executives are getting a false assurance by being trained to aspire to the low bar these frameworks represent, using a kind of “checkbox security.” They might say, to themselves and others in their organization, “We meet these five requirements, therefore we’re safe.”


4. Benchmarking. So what should enterprises do? Standardization on these frameworks is essential, but not sufficient, to address the onslaught of security challenges. Benchmarking oneself by sharing the experience across enterprises in managing risk will help raise the bar. However this would require a cultural change in information-sharing across enterprises.


5. Conflicting forces. There are two conflicting forces in the new style of IT emerging in today's world. These are a) Enterprises need to safeguard their assets and b) Shareholders are pushing IT toward new, potentially more vulnerable, infrastructures – such as cloud and mobility. Aspiration to migrate to these domains is a daunting task, which keeps industry leaders like Gilliland awake at night.

You can get more insight into Gilliland's views during his keynote at the RSA Conference. If you are not attending, you can watch it live here.


In the end, being more educated on the tactics of our adversaries will help us build better defenses. Perhaps penetrating the hacker’s mind, using OODA techniques, may be an option. The RSA Conference also covers information about other techniques, such as psychology and gamification. It’s not just about blocking the bad guy. We should be smarter about the processes they use so we can effectively disrupt it at every stage.


When I think of security, I get the feeling that I am part of the “law” side of the TV show Law and Order, and have to strategize the next steps within 60 minutes to combat the criminal mind at work!


Connect with Nadhan on: Twitter, Facebook, Linkedin and Journey Blog.


0 Kudos
About the Author


Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Jun 7-9
Las Vegas
Discover 2016 Las Vegas
Discover 2016 in Las Vegas, the ultimate showcase technology event for business and IT professionals to learn, connect, and grow.
Read more
Sep 13-16
National Harbor, MD
HPE Protect 2016
Protect 2016 is our annual conference and is the place to meet the world’s top information security talent, discuss new products and share information...
Read more
View all