December 09, 2002 — CSO — Ignorance isn't always a bad thing. In fact, journalism makes a virtue-and a profession-out of ignorance. Good journalists are good at knowing what they don't know, and even better at finding the people who do know. The best of the breed live to learn new things, to which end they doggedly seek out the smartest sources to fill in the blanks. The practice of the craft over the course of a career amounts mainly to identifying fresh pockets of ignorance to conquer. And, hey, it's a living.
Having launched this magazine in September, we've already traveled what feels like a very great distance from relative darkness to greater light. I will confess that, in the spring of 2002, when I faced the prospect of starting a publication about security (I had plenty of help, but I've learned that when confessing, it's always best to speak for yourself), I might have thought something along the lines of "Geez, what a snooze." That was the initial reflex of someone who hasn't yet learned what he doesn't know. Like security vulnerabilities, ignorance is blameworthy only when it remains unremediated. In fact, it wasn't long until, having started to scratch beneath the surface of the topic, I began to grasp the size and complexity of what's involved. Not simply a matter of firewalls and viruses and hackers, security began to resonate with issues political, ethical, behavioral, managerial, philosophical, physical, logical, technological, sociological, cultural, criminal and military. You name it, it's in there somewhere. And, so, I quickly learned: not such a snooze, after all.
Now we are rapidly discovering that the CSO role, practiced at the highest level, has its arms around just about every activity an enterprise undertakes. The CSO editorial staff met recently with members of the International Security Management Association (ISMA). As articulated by its current president, George Campbell (see Letters, November 2002), ISMA's position is that security is a broad unified activity, making no meaningful distinction between the physical and logical domains. The CSO's beat encompasses all categories of risk-from safeguarding executives in Bogota to headquarters buildings in New York to customer information in distributed databases.
Among the most intriguing broad subtopics within the security domain are the assorted economic arrangements that surround risk management. Of all the duties of the CSO, risk management-writ large, as in the ISMA rendition-is arguably the most important. Dan Geer, the CTO of a security consultancy called @Stake, notes that when security measures begin to consume too much productivity, they become "diseconomic." The role of the CSO is to make sure a balance is maintained between the solutions applied and their impact not just on vulnerability but on productivity and profitability as well. That is why we've dedicated our first special issue to helping readers prevail over risk. (The issue was spearheaded by Managing Editor Elaine Cummings and Senior Writer Sarah Scalet.) Risk management begins with an understanding of the business costs of unremediated vulnerability. Only when the costs are known can they be weighed against the economic potential of various business opportunities. Then the appetite for risk, in various quarters of the enterprise, can be expressed with reasonable accuracy.
While the focus of our examination of risk is corporate networks (where so much uncertainty still persists as to the costs of insecurity), the broader topic of risk management is relevant to all of the CSO's duties. We look forward to your reactions: mccreary@cxo.com.
Read more about data protection in CSOonline's Data Protection section.
Other stories by Lew McCreary
The challenge of true data protection spans databases, internal and external networks, physical and offsite storage, business partners and more. These resources offer expert perspective from the basics through specific key elements of data protection strategies.
Network security basics
Protection, detection, and reaction—those are the three underlying principles your security program must embody
Computer incident detection, response, forensics
Richard Bejtlich shows how to measure and improve the maturity of your incident response
A few good IT security metrics
Stop counting blocked malware attachments and measure things that can contribute to meaningful change
5 key cloud security trends
Cloud security is evolving rapidly—stay on top of it
IT risk assessment frameworks
How to do end-to-end encryption
How to compare and use enterprise antivirus
Also find sample data protection policies in CSO's tools, templates and policies library
- Introduction to VMware vCenter Site Recovery Manager 5
- Introduction to Virtualization
- Preventing Unplanned Downtime with Server Virtualization
- Secure Cloud Infrastructure and Next-Generation Data Centers - An Interactive Panel for Decision Makers
- Gartner Next Generation Network IPS Webcast
- Understand Your Data: The Future of Backup and Archiving
- Overcome Top 7 Admin Challenges of Active Directory
- Insiders Can Ruin Your Company. Take Action.
- Top Solutions and Tools to Prevent Devastating Malware
- X-Ray of the PCI Process-4 Proactive Steps
- Streamline Compliance and Increase ROI
- Beyond SFTP: Five Ways Secure Managed File Transfer Can Improve Your Business
CSO Corporate Partners
- Patch Tuesday preview, February 2012
Microsoft published its Patch Tuesday Preview for February of 2012 a few minutes ago. IT admins can expect nine bulletins to address 21 security vulnerabilities.
It looks like four bulletins will be rated critical while the rest are designated as important.
Affected Microsoft products are:
- M86 report proves water is wet
- Actor, banker, soldier, spy: Suits and Spooks Anti-Conference aims to redefine security
More Salted Hash with Bill Brenner
