Changes

All I can say to this is, 'bout time:

IT directors will play a dramatically reduced role in working with security professionals, says the Information Security Forum, which has issued a report that outlines how businesses' view of security is evolving. Chief risk officers, chief security officers and chief operation officers will be more involved in security strategy, according to the ISF. The change is fueled by Enterprise Risk Management and companies' increasing vision of merging physical security with information security, reports the ISF. Network World (07/31)

The downside of the above is that information security requires highly technical solutions and so either security talent has to migrate and disperse into IT organizations (not a bad thing) or strong ties between infosec talent and IT have to remain, or perhaps both. Otherwise infosec becomes all high level strategy with extremely poor execution. The Network World article goes on to say:

less than 3 out 10 information security professionals believe they are focused on delivering solutions to the business.

When you hear people talking about information security enabling the business, this is what they are talking about. The goal isn't simply to prevent or reduce risk. It's to enable the business to move forward with opportunities but with a tolerable level of risk. To do that you have to come up with creative solutions-- finding ways to say yes instead of no.

Davies points out that there is currently a large increase in information security professionals reporting to chief risk officers (CRO), chief security officers (CSO) and chief operation officers.

Infosec stepping away from IT makes it more difficult to build trust and alliances at the worker level which is crucial in building a security culture where IT personnel help the security group rather than avoiding them. Appointing infosec point of contact within various IT organizations can help.

The upside of this move outside of IT is that the struggle between sometimes opposing goals of IT and Infosec can happen at a higher management level where it often belongs. Infosec can gain a bit more authority, to be weilded very carefully, of course. This arrangement also gives the proper business focus to security groups and provides better visibility of security issues to upper management.

DNS

So, how about that DNS vulnerability, huh?

Brings back memories of the days gone by when vulnerabilities and attacks regularly threatened the entire internet rather than being as targeted as they are now. Well, I guess this time there's a pretty ubiquitous hole that can be used for targeted attacks until folks patch. If they haven't they're nuts.

Meanwhile... Dan K suggests using OpenDNS since they were fixed before many ISPs. Having one place provide DNS to a lot of people kind of paints a giant target on their backs but then again that's no different than any major ISP's DNS servers. OpenDNS beat a lot of ISP's to the punch in patching so maybe that is an indiciation of the kind of shop they run. Plus they offer content filtering, typo fixing, and phishing protection features. Nice.

But, you probably knew all that, right?

So why didn't you tell me? :)

Infosec Fortune Cookie Friday

It is written: One who swings the great bat of authority cannot spare a helping hand.