What breakthrough does AT&T senior VP and chief security officer Ed Amoroso want from vendors? Try a bit of sanity. He spoke last week with editor-at-large Larry Greenemeier.
InformationWeek: Patching software has become widely acceptable, but can IT vendors and the industries they serve continue this way?
Amoroso: "Patch," unfortunately, is a euphemism for "error," for "mistake." And when you think of it as, "Here's a patch, and all I need is this little piece of software and everything will be all right," I think that glosses over what it is that we're really talking about here. Until you've lived through a problem that's exploited through one of these errors, you just don't get it.
InformationWeek: What's at stake for users who don't commit themselves to patching software as quickly as possible?
Amoroso: If you don't patch within a day or so, there are umpteen exploits all over the Internet that can be grabbed and put in a worm or botnet, harness, and just aimed at [unpatched] computers. Once you're caught, you now have a bot running on your computer. AT&T Labs estimates that on any given day there is a minimum of 10 million bot-infected PCs actively targeting other systems for the purpose of infecting, sending [distributed denial-of-service] attacks, sending spam, etc. That strikes me as a cancer on the Internet.
InformationWeek: How do we break this cycle?
Amoroso: The only way we'll ever get to the point where the software that powers our infrastructure is fully secure ... is to treat software engineering as a legitimate discipline. We completely underestimated how difficult it is to write software correctly.
InformationWeek: Is there some innovative new security technology that can put IT departments on equal footing with those attacking their systems?
Amoroso: I encourage [vendors] to recognize that when a building is crumbling, you don't build scaffolding around that building to prop it up. You figure out why the building is crumbling. We don't need more innovation, we need more sanity to recognize that we've got vulnerabilities in our software, and systems that are so complicated that you have no clue how people get in. ...
InformationWeek: How do chief security officers best work with CIOs?
Amoroso: We're usually joined at the hip, with many common goals. If you have a good CIO, ... then that CIO is going to be extremely demanding and not put up with holes in infrastructure, not put up with obvious problems, gaps in services, and so on.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.