IT departments know that they need to modernize, but a fundamental
cultural change requires leadership from the top of the org chart, said one consultant and author.
“This is not just information security,” John Pironti, president of IP Architects, told
InternetNews.com. “This is true business alignment.” Pironti will be giving a speech on the subject, called “Information Security 2.0: Transforming Information Security to Information Risk Management,” this week at the ISACA
“Security has to start at the top,” he said. The board of directors of the company decides where the risks lie. The IT manager becomes the Chief Information Security Officer (CISO), reporting to the CIO and also to the board.
“Most security people don’t understand risk — they understand threats,”
Pironti said. “Threats are just one input into the risk equation. Others
come from operations, strategy, and marketing.
“Where does the business find value? Most executives are more worried
about availability than security,” he added. “Organizations will sometimes
leave systems up if they’re compromised because availability wins. You don’t
need security if you can’t have availability.”
Pironti explained that he’s not arguing for less security. In some cases, less security may make sense. “If it’s marketing data that I give away at trade shows and I want people to have it, then go ahead and sniff away on the network.”
Instead, he argues for more appropriate and effective security. “I’m arguing for a meaningful analysis of security needs based on conversations, deployed in areas with a high threat likelihood and a high impact to the business if a threat occurred. The many controls now in place may not make sense.”
For example, Pironti said that many datacenters have bulletproof glass
even in non-military environments where a frontal assault on the datacenter
is not expected.
“If we have other filters, do we still need a stateful inspection firewall? It’s still required by standards. Heartland is doing end to end
encryption. Ironically, it can take away the ability to do network
protection by disabling the ability to inspect traffic. So when you
implement security, you need to think about what threat you are worrying
Pironti said that compliance standards are threat-based, not risk-based,
and can be an obstacle to changing the IT mindset. “My biggest fear is
security by compliance. It’s spending all your time thinking about an audit
and none thinking about what’s important to you. The PCI conversation is
outdated in my mind. PCI is a baseline and I think we need to move beyond
He added that the FTC’s Red Flags Rule was manipulated by lobbyists so
that the banks could meet the standard immediately.
Even Heartland, which suffered a real breach, should think about costs as
it implements stronger security. “Heartland was off the PCI lists for two
months. It was fined $7 million to $12 million. Senior business leaders know
that they can mitigate that risk with insurance. Why buy $14 million of
controls when instead you can buy less and also buy insurance?”