How to Keep Tabs on Technology

Today's unavoidable reality is that security execs need to stay on top of a plethora of emerging technologies and threats in order to keep disaster at bay

June 01, 2004 — CSO — Firewalls. Hackers. Intrusion detection. Event correlation. Web services and file sharing. Application vulnerabilities. With all the things a CSO has to worry about, it's a wonder you're all not curled up in a corner, bathed in sweat and muttering nonsense to yourselves. Today's unavoidable reality is that security execs need to stay on top of a plethora of emerging technologies and threats in order to keep disaster at bay.

Ask Gene Fredriksen, vice president of information security at Raymond James Financial, how he and his staff stay current, and the short version of his answer is, "Through every avenue possible."

Fredriksen assigns software security engineers in his group to track new technologies in their areas of expertise. So, for example, one of these senior-level specialists follows intrusion detection and protection. That entails working with the current vendor, watching other vendors in the space and briefing the rest of the group on emerging technologies and methods. Fredriksen then uses that information from his staff to help develop his group's annual strategic and operations plan (which, as a side note, he believes every infosecurity group should have). "We also read the magazines, read reviews, talk to peers and participate in working [and industry] groups," he says, specifically mentioning BITS (a financial services industry organization), Information Systems Security Association (ISSA), InfraGard (the FBI's private- sector outreach initiative) and a variety of security meetings hosted by vendors.

While following what's new in the security marketplace is important, tracking emerging threats is the heart of an info-security program. Fredriksen relies heavily on the financial services information sharing and analysis center (FS-ISAC) to pass along information on cyber-attacks. "I get more of a real-time sense of what's happening in our industry," he says. He also gets alerts from Guardent, a managed security services provider that has intrusion detection sensors on some of the external points on his network. "What they're seeing around the globewhere they have all their sensorsallows me to correlate with my sensors. If I'm seeing some kind of attack on my sensors, it's very valuable for me to know if only Raymond James is seeing the attack, or if it's a U.S. [attack] or a broad denial-of-service attack on the Internet," he says. Those same sourcesindustry and working groups, vendors—also help him track future trends, vulnerabilities and exploits.

To make sure information is shared internally, Fredriksen holds weekly infosecurity meetings to track action items. He also sends out monthly, management-level reports. The first part of each report tracks metrics and trends. The second part discusses emerging threats, analyst forecasts and general security news. Sending these reports keeps infosecurity uppermost in executives' minds, he says, and he highly recommends the practice to those security execs who complain that senior management doesn't "get" security.