- Tools & Templates
- Security Jobs
- Data Protection
- Identity & Access
- Business Continuity
- Physical Security
- Security Leadership
Alan Paller on cutting through the bull
Alan Paller of the SANS Institute delivered the first talk of the day at ISSA-LA's Security Summit IV, focusing on the keys to being a successful security leader. A lot of those keys involve cutting through the bull (my words, not his).
"Everyone in information security has an opinion," he said. "But the attackers are fighting us with weapons, not opinions."
The first misconception he suggested people cast aside is that CEOs don't get security and need to be persuaded that it's important.
"CEOs don't need to be persuaded, contrary to what people say," Paller said. "The problem is that they're not buying your proposed solution."
Security practitioners can no longer persuade the CEO simply by being an "expert" and saying they need to spend money on new tools and procedures, he said. The era of compliance is over because despite all the technological investments made in the name of compliance, systems are still not secure.
CEOs have the following questions, Paller said:
--What do I have to do?
--How much is enough?
--Who can I trust to answer these questions?
"Security leaders can answer those questions," he said. As to what makes a leader, he started by saying a real leader doesn't talk about all the things he-she has to do. They simply focus on fixing the core customer problem. Leaders are also recognized as the go-to person by customers and users, people want to work for them and they enjoy a level of economic success.
As one example of a true leader, Paller pointed to John Streufert who, as CISO of the State Department during the Operation Aurora attacks, got the exploited vulnerabilities fixed in short order. One thing Streufert did was hand out daily grades to his team. Winners got As and Losers got Fs. "The results were posted daily, but he gave people a chance to work their way up to an A before sending the winners list to (Secretary of State) Hillary (Rodham Clinton)," Paller said. "When you're graded daily, you tend to fix things faster."
He ended with another characteristic of a true security leader: the ability to find talent. "You need to find the talent -- the people with the technical skills. These people are the tanks in the next war," he said.
One example of how to find talent, he said, is to organize cyber camps and have hacking contests. He noted that for many of today's youth, hacking is the new video game. Kids are out there breaking into systems every day, and by holding cyber camps and contests you can find the more talented among them.
Thanks to cloud computing, your business data is everywhere and being accessed by everyone. Making the wrong decision to protect your data can result in high costs, increased risk and executive exposure. View this live webinar on cloud security and the evolving data center, and learn why a data-centric approach to security is the best bet for today's virtual environment.
- Redefine Business Portability
- Prevent Mobile Devices from Loading Dangerous Code
- Expanding Your Security Perimeter: Common Sense for Navigating Today's Threat Landscape
- Fighting Fraud Videos: IBM Intelligent Investigation Manager
- IBM Intelligent Investigation Manager: Online Product Demo
- Webinar: IBM IIM for Fraud, Abuse and Waste in Government