CIOs and their managers are simply being inundated.
They’re being inundated with information about what’s happening on their network. They’re being inundated with a flood of vulnerabilities and the patches needed to fix them. They’re inundated with trying to learn a new language — business speak. And with so much work and stress flooding in, it’s easy for an IT manager to get lost in the technical fog of war.
Linda McCarthy, the executive security advisor in Symantec Corp.’s Office of the CTO, says it’s a tough time to be a CIO, a network administrator or a security administrator. The founder and former president of Network Defense and the once manager of Security R&D at Sun Microsystems, Inc., McCarthy has just authored the book, ‘IT Security: Risking the Corporation’.
Here, she talks to eSecurityPlanet about the challenges facing IT managers.
Q: How are network security needs changing?
One of the biggest problems right now is that there is so much data. How do you collect that data and look at it and make sense of it? There are firewall logs, system logs, IDS logs. There’s so much data that you need good correlation and reporting mechanisms. It’s really, really important for companies to deal with.
Q: How well are companies dealing with the flood of security-related information?
They’re just realizing now that they need to do something about it. A couple years ago if you asked executives if they knew what an IDS was, they wouldn’t have known. Now they know it’s intrusion detection. Now we’re at the point where the technology is there. They just have to figure out how to deal with the data.
Q: What other obstacles are IT managers facing?
Another thing is understanding the different threats on the horizon. It’s all about understanding what threats are out there and what you need to protect your company from them… They don’t know what’s coming. It’s a big problem.
Q: Do you think all of the media attention on worms and teenage hackers sidetracks IT managers from the bigger picture?
I wouldn’t say they get sidetracked. It helps to raise visibility [about security issues] in the company at a high level. It sometimes helps to create awareness.
Q: Do you think IT managers are being heard at the executive level?
There’s a problem with the way people present information to the executive management. It’s not really clear. This technical information is not being simplified. From a systems level, it’s very difficult to uplevel that to an executive. You give them complicated information and too much of it. They’re not going to get it. They don’t have time to think about it, so they end up not understanding the threat.
Q: Is this IT’s fault? Are IT managers learning how to communicate with the business suits?
I wouldn’t want to pin it on IT. The information is complicated. Once it’s simplified at a systems level, it’s easier to communicate at a higher level. It’s not really a skill for a lot of people at an IT level, and especially not at a systems administration level. Companies that really know how to communicate security at a business level and can simplify technical information, they’re the ones who get money for their security efforts — and they have better security.
Q: Millions of companies are being hit with worms and viruses that could have been stopped in their tracks if the IT department had simply installed the necessary patches. But there are so many vulnerabilities popping up and so many patches to install, how can IT departments handle the deluge?
It’s not a simple solution or everybody would have all the patches installed today. The idea of keeping up with all the vulnerabilities relevant to your company and having the staff to install those patches is pretty overwhelming. You need patch management software that works on a large distributed network. Sometimes it’s a catch-22. There may be patch management software but somebody doesn’t have funding for it. Or they think they can have the systems administrators update the patches because that’s their job. It’s not that simple of a problem to solve.
Q: Is wireless technology throwing another wrench in enterprise security efforts?
Business doesn’t wait for security. Technology gets deployed because the business needs to run. Usually what happens is that businesses deploy technology before security is strong enough, and a lot of times that forces the solution… Definitely. I worry about it. I got a call today from somebody running a business that has deployed wireless technology and they don’t have a clue about it. They were already broken into and they don’t even know how it happened. If you deploy wireless without thinking about security, there’s a good chance that’s going to be a problem.