CSI 2008: Brian Snow's Assurance And Controls - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Information Management
Commentary
11/17/2008
12:50 PM
Mike Fratto
Mike Fratto
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

CSI 2008: Brian Snow's Assurance And Controls

Brian Snow's keynote at CSI 2008 started with an amusing graphic of a guy pouring gas over his head while lighting a cigar. The message was we always take risks, even when we aren't aware of them. Snow learned a thing or two about risk while working at the NSA for 20 years, ending as technical director for information assurance. Information risks, he points out are, moving targets and information security programs need to be adaptable and w

Brian Snow's keynote at CSI 2008 started with an amusing graphic of a guy pouring gas over his head while lighting a cigar. The message was we always take risks, even when we aren't aware of them. Snow learned a thing or two about risk while working at the NSA for 20 years, ending as technical director for information assurance. Information risks, he points out are, moving targets and information security programs need to be adaptable and well designed.Snow briefly related a story about fielding a secure battlefield communications system. During the process, they looked at the threats they had to overcome, some of which were eavesdropping, jamming, and location of the transmitter.

They had to factor in these issues during the design phase. Radio, even directed broadcasts, spreads in unintended ways. Eavesdropping was a potential threat. Even with the best encryption, an enemy could jam the signal, cutting off communications and, finally, the enemy could track the location of the radio transmission and attack it directly. Snow's illustration shows that threats are dynamic in nature and the only way to get ahead of them is to be proactive.

Exacerbating the problem, Snow points out, is that security product vendors aren't proactive in their feature sets. Their primary goal should be to protect their customers and not make a profit. Waiting until the vendor hears customer demand isn't an excuse to delay adding features that will protect their customers from attackers.

I can't tell you how often I have heard vendors state they will add a feature only when there is customer demand. That position is short-sighted and ill-conceived. Customers won't always demand new features -- either they don't realize a feature would be useful, they can't articulate what they need, or the message doesn't make it from the salesperson to the development team. Even if a customer does demand a feature, that doesn't mean it gets built. How many customers does it take to get a new feature instituted?

Obviously, information security doesn't begin and end with products, and Snow talked through seven topics -- location, robust control, assurance, cross-disciplinary work, human interface, management, and mutual suspicion -- that are all critical to an information security program. I found the robust controls and assurance the most interesting topics and they integrate nicely.

Robust controls work even in the face of a hostile environment. There's no definitive metric for robust, but the controls have to be hardened enough that they can't be bypassed. You have to have the assurance that the product or process will behave predictably even in the face of a malicious attacker. That's hard to find and there are far too many examples of secure systems failing.

Many of the track sessions are focused on robust control and assurance and there are plenty of options available. Unfortunately, without product support processes, we'll only get so far. It's a wonder we have any assurance at all.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
Top-Paying U.S. Cities for Data Scientists and Data Analysts
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/5/2019
Slideshows
10 Strategic Technology Trends for 2020
Jessica Davis, Senior Editor, Enterprise Apps,  11/1/2019
Commentary
Study Proposes 5 Primary Traits of Innovation Leaders
Joao-Pierre S. Ruth, Senior Writer,  11/8/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll