Enterprise Services
Showing results for 
Search instead for 
Do you mean 

Are your frameworks secure enough to combat criminal minds?

Nadhan on ‎02-25-2013 01:28 PM

Enterprises view the adoption of standardized security frameworks as a panacea, addressing the challenges posed by our adversaries in the world of security. But are these security frameworks adequate? Do they inherently combat innovative criminal minds, which are constantly at work planning the next wave of attacks? Art Gilliland, Senior Vice President, and General Manager, HP Software Enterprise Security Products, says these frameworks are not only inadequate, but also set a low bar for enterprises, giving the enterprise a false sense of security. This message comes across loud and clear in Gilliland’s preview of his session on "Criminal Education: Lessons from the Criminals and their Methods" at the 2013 RSA Conference.


Security Criminal Mind.png

Gilliland’s assertion may surprise some, and be a wake-up call for others. Here is my characterization of the key points that he makes in this preview.


1. New market for data. According to the principle of Infonomics, originated by Gartner VP, Doug Laney, we must proactively attribute value with raw data. There is a stock exchange for data out there, asserts Jessica Leber in the MIT Technology Review – a market effectively tapped into by adversaries in selling data at a premium to interested predators.


2. Opportunistic innovation. Enterprises have broadcast their compliance to regulatory policies through adopted standards, such as ISO and PCI. Adversaries closely monitor these frameworks and dynamically invest in innovations around their inherent weaknesses.


3. Checkbox security. Security professionals use these frameworks as a way to guide the work done and the investments made. Initiatives to comply with these frameworks serve as an excellent trigger to obtain leadership support, based on failed audits. But in doing so, business executives are getting a false assurance by being trained to aspire to the low bar these frameworks represent, using a kind of “checkbox security.” They might say, to themselves and others in their organization, “We meet these five requirements, therefore we’re safe.”


4. Benchmarking. So what should enterprises do? Standardization on these frameworks is essential, but not sufficient, to address the onslaught of security challenges. Benchmarking oneself by sharing the experience across enterprises in managing risk will help raise the bar. However this would require a cultural change in information-sharing across enterprises.


5. Conflicting forces. There are two conflicting forces in the new style of IT emerging in today's world. These are a) Enterprises need to safeguard their assets and b) Shareholders are pushing IT toward new, potentially more vulnerable, infrastructures – such as cloud and mobility. Aspiration to migrate to these domains is a daunting task, which keeps industry leaders like Gilliland awake at night.

You can get more insight into Gilliland's views during his keynote at the RSA Conference. If you are not attending, you can watch it live here.


In the end, being more educated on the tactics of our adversaries will help us build better defenses. Perhaps penetrating the hacker’s mind, using OODA techniques, may be an option. The RSA Conference also covers information about other techniques, such as psychology and gamification. It’s not just about blocking the bad guy. We should be smarter about the processes they use so we can effectively disrupt it at every stage.


When I think of security, I get the feeling that I am part of the “law” side of the TV show Law and Order, and have to strategize the next steps within 60 minutes to combat the criminal mind at work!


Connect with Nadhan on: Twitter, Facebook, Linkedin and Journey Blog.


0 Kudos
About the Author


Nov 29 - Dec 1
Discover 2016 London
Learn how to thrive in a world of digital transformation at our biggest event of the year, Discover 2016 London, November 29 - December 1.
Read more
Each Month in 2016
Software Expert Days - 2016
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all