Category: Trends

The survey found that 725 new software flaws in the third quarter of this year, down slightly from 727 found in the second quarter.

However, the 823 new worms and viruses that appeared between July 1 and September represented a 26 percent increase from the previous three months.

“The window of time between vulnerability disclosure and the release of a working exploit continues to shrink, leaving enterprises with even less time to learn about and prevent attacks,” Chris Rouland, vice president of Internet Security Systems’ vulnerability research team, said in a prepared statement.

Security software maker Symantec also pointed to anecdotal evidence that the time was shrinking between the first public mention of details of a software flaw and the release of code exploiting the flaw.

Three serious Internet attacks–MSBlast, MSBlast.D and SoBig.F–struck in August.

The Computer Emergency Response Team (CERT) Coordination Center’s latest report indicates that the number of flaws that will appear in 2003 is likely to be smaller than in 2002.

That’s a first: Between 1999 and 2002, the number of vulnerabilities recorded by CERT roughly doubled every year.

More info: [url=http://news.com.com/2100-7349_3-5108921.html?tag=nefd_top]http://news.com.com/2100-7349_3-5108921.html?tag=nefd_top[/url] and
[url=http://bvlive01.iss.net/issEn/delivery/prdetail.jsp?oid=23118]http://bvlive01.iss.net/issEn/delivery/prdetail.jsp?oid=23118[/url]

The CEO’s primary responsibility is the strategy and direction of the business.
Security should be a concern but CEOs usually have a dozen other things in line ahead of it.

The paramount issue for the CFO is controlling costs. CFOs are not supporters of visions of robust, feature-rich and flexible architectures. Their reason is simple—they cost too much. The CSO must make the CFO understand that centralization of the security vision and spending will ultimately save money. The CSO must also initiate a Net Security Risk (NSR) exercise to calculate the financial risk of avoiding security spending.

The CIO keeps the business systems up and running. CIOs are already battling with the CFO for system budgets. In the wake of that battle, security is squeezed as a “nice to have.” For the CSO to succeed, the CIO must make it clear to the IT professionals that security is a part of all technology and a critical part of their jobs; failing to take this into consideration will lead to immediate termination.

The CTO establishes the technology direction of the company. The CTO, however, should not be in charge of the daily operational responsibilities of the business and should not be tasked with security operations among other technology decisions.

The COO is the battlefield commander responsible for the day-to-day operations of the company. Security adds an additional step to all other business and operational life cycles and thus requires more time, more people and more money, all of which are not central to the COO’s charter. Now there are personal privacy regulations in financial services and health care that make it a legal obligation to secure online information as well.

The CSO is responsible for physical and technology security. The CSO must then communicate this vision across all departments and business units.

More info: [url=http://techupdate.zdnet.com/techupdate/stories/main/global_1000_companies_should_hire_a_chief_security_officer_by_the_end_of_2005.html?tag=tu.fd.sc.link]http://techupdate.zdnet.com/techupdate/stories/main/global_1000_companies_should_hire_a_chief_security_officer_by_the_end_of_2005.html?tag=tu.fd.sc.link[/url]

The comments came during a media round-table session at the Gartner Symposium and IT Expo, which began today in Sydney, Australia.

The director, Rich Mogull, told journalists that despite the incidence of high profile digital attacks, cyber terrorism is a phenomenon that has never occurred.

Even though there were examples of attacks that have physical consequences – they could not be described as terrorist acts, Mogull explained.

Mogull maintains the argument is largely academic – it doesn’t matter who’s attacking an organisation, it should be doing the best it can to protect itself in the first place, whether attacks are coming from criminals or “cyber terrorists”.

Let’s look at protecting ourselves by closing the vulnerabilities we know exist, and protecting ourselves from the attacks that we know exist,” he said.

More info: [url=http://www.silicon.com/management/government/0,39024677,39116842,00.htm?foo=’Cyber%20terrorism’:%20Don’t%20believe%20the%20hype%20says%20Gartner%2011–11]http://www.silicon.com/management/government/0,39024677,39116842,00.htm?foo=’Cyber%20terrorism’:%20Don’t%20believe%20the%20hype%20says%20Gartner%2011–11[/url]

Firewall are seem as an essential part of an overall security strategy. The only other technology or security strategy that was seen to have greater promise was disaster recovery.

“Firewalls are rapidly evolving in their roles, and the boundary between firewalls and other infrastructure elements is becoming blurry,” said Fred Cohen, an information security luminary and an analyst with the Burton Group. For example, special firewalls are needed to screen XML transmissions, which can sail through most firewalls.

No one would argue that a modern company with a network doesn’t need a firewall at the gateway, but there are some differences of opinion over whether personal firewalls are needed.

Cohen does recommend personal firewalls for users who access a network remotely with laptops.

The specialization of firewalls means there will be tradeoffs, Cohen said. There is the tension between the idea of a distributed approach and the idea of a centralized one. “The lack of a clear picture [integrating] intrusion detection, special-purpose filtering devices and other services into infrastructure makes many enterprises hesitant to adopt integrated firewall solutions until the market clarifies,” Cohen said.

More info: [url=http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci936078,00.html]http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci936078,00.html[/url]

North American IT budgets are expected to increase to $729.2 billion next year, up 1.7 percent from the level anticipated for this year, according to a survey of more than Get Up to Speed on…

Forrester itself says budgets could grow as much as 4 percent, as IT spending catches up with the economy. “More firms are saying they expect their budgets to increase over last year.

More than half the companies surveyed listed risk management initiatives as their top priority for next year.

Companies are also interested in upgrading their PCs next year, with 27 percent of those surveyed saying they expect to spend more–an improvement from 24 percent anticipated for this year.

And the percentage of IT buyers who expect to spend less in 2004 declined to 24 percent, compared with 27 percent for this year.

Software licensing and development, meanwhile, will be a more challenging environment. The percentage of those anticipating a 2004 spending increase in those areas fell to 30 percent, compared with 35 percent for this year.

Although most companies are anticipating upgrades or a major applications deployment next year, any rollouts will likely span a long period of time, resulting in a decline in anticipated applications budgets next year, Pohlmann said.

More info: [url=http://news.com.com/2100-7355-5105143.html?tag=guts_lh_7355]http://news.com.com/2100-7355-5105143.html?tag=guts_lh_7355[/url]

When it comes to budgets, less can be more.
Compare, for instance, your security budget with the annual salaries of professional football players. You’ll find that both are based on tangible and intangible valuations.

For many CSOs, their departments’ cost-center status is not just an accounting designation, it’s a state of mind. The good news is that the CSO is no longer the corporation’s poor relation.

In a worldwide study conducted by CIO (CSO’s sister publication) and PricewaterhouseCoopers released in October of this year, approximately 7,500 CEOs, CFOs, CIOs, CSOs, and vice presidents and directors of IT and information security were polled on their security spending habits.

When asked to compare their 2003 security budgets with 2002, 45 percent of the survey’s respondents indicated that their budgets would increase a little, with 17 percent claiming that the increase would be significant. Only 8 percent of respondents said that their budgets would decrease.

It turns out that increasing funding is not just a wish or a goal for the CSO, it’s a strategic initiative. A full 30 percent of respondents reported that one of their top strategic objectives is to expand that budget even more.

When respondents were asked what factors presented a barrier to good security measures at their organizations, a limited budget far outweighed any other response.

Tips:
– Be the Chief Self-Esteem Officer
CSOs need to be calm, deliberate and forceful.
– Don’t Pass the Buck, Pass the Check
Look at exactly what is included in the security budget. Are there projects and programs that shouldn’t be there? CSOs must do the legwork of selling business units on the benefits of new security technologies and programs.
– Practice Pavlovian Security
CSOs can save themselves considerable budgetary wrangling when they lean on policies, procedures and behavior modification techniques instead of expensive technology solutions.
– Become a Fast Follower
Security is one area where there is no prize for first place. That’s especially true when CSOs waste their budgets on new technologies that aren’t quite ready for prime time.
– Communicate Early and Often
CSOs may be good at talking with their teams, but when it comes to their executive peers, they’re typically not as skilled.
– Believe in Vendors
Turn those arm’s-length relationships into strategic partnerships, you can squeeze a much greater benefit out of the money you’re already paying them and offload security tasks that you don’t have the budget to do in-house.
– Use People, in a Good Way
“I would rather pay more money and have less officers than have a whole bunch of officers that don’t know what they’re doing”

Security doesn’t have to make money—most of the time it’ll be a cost. One area that most CSO agree is ripe for finding cost savings is in guard contracts. That’s challenging because guards become “an emotional fixture.”

More info: [url=http://www.csoonline.com/read/110103/money.html]http://www.csoonline.com/read/110103/money.html[/url]