RSS Alerts

Share

More services

Related Links

Related Stories

  • Google Chrome trumps browser pack in update test
    Users of Google's Chrome browser are the most likely to be running the latest version of the software compared to other browsers, according to a study released this week.
  • Phishing sites hacked into via Google
    Phishing sites are mainly legitimate web sites that are being hacked via 'evil' web searches, reveals a report by a trans-Atlantic team of researchers.
  • Data Breach Costs Rising
    The average cost of data breaches are rising, according to a report from the Ponemon Institute, which says that lost business is the biggest expense for companies that have their data pilfered.
  • Google falls victim to human error
    On Saturday, Google users were warned that all their search results were potentially harmful, due to a widespread result of human error.
  • Keeping sensitive information secure when staff is leaving
    Career loyalty is an endangered creature. Unlike our predecessors, today’s workforce is unlikely to stay committed to a job for five years, Career loyalty is an endangered creature. Unlike our predecessors, today’s workforce is unlikely to stay committed to a job for five years, let alone their entire lives. But with such a fluid stream of employees keeping human resources busy, and countless eyes being cast over company data, Rob Stringer investigates how sensitive information can stay faithful to its organization, even if its staff don’t...
  • Plenty to worry growing infosec profession
    An in-depth look at the results of the 2008 version of the annual ISC2 Global Information Security Workforce Study reveals the growth both in size and influence of the profession. It reveals also what is worrying security professionals … and the answer to that is plenty.
  • Microsoft joins MIT Kerberos Consortium
    Microsoft has joined the MIT Kerberos Consortium as a founding sponsor, joining Sun Microsystems, Google and Apple on the consortium’s executive board.

Top 5 Stories

News

Black Hat: Security is not the security team’s problem says Black Hat keynote speaker Douglas Merrill

30 July 2009

This morning, 29th July 2009, at the Black Hat briefings in Las Vegas, Nevada, keynote speaker Douglas Merrill, told his audience that CISOs are getting information security wrong.

Merrill, a research scientist by training, served as CIO at Google until April 2008 when he resigned to become President of EMI Music.

The key, Merrill advised, is to “make it so that security is not the security team’s problem”. The EMI president went on to justify this contradiction. “This is something that the Google security team did very right. They made it so that they were no longer at the centre of security, and made it very easy for employees to do the right thing, and very hard for them to do the wrong thing”.

“We automated everything”, Merrill continued, speaking of his tenure at Google. “It was cheaper, it eliminated the boring parts of our jobs, and it kept people from making stupid mistakes when managing machines”.

Enabling the Google engineers to work in an environment that suits them was part of the strategy. “We wanted to enable their innovation”, Merrill said.

To enable this freedom and innovation without compromising security, Google’s team built security into the infrastructure itself. Merrill explained, “We had AV running on mail servers, not endpoints. Systems monitored traffic, and we flagged alerts. We implemented lots of things like that to protect ourselves from not knowing where the endpoint was. This way, there was no ring of fire problem”.

It’s important to involve your users in your information security requirements, Merrill insisted. “Users will attempt to secure themselves – make it their problem and they’ll be happy to help. Employees want to innovate – we need to enable them to do this”.

“Quite often, the reason people are doing it wrong [compromising security] is that they are hearing wrong. We need to teach them, and we need to do this by speaking the right languages”.

The industry, Merrill said, “don’t understand that the people singing along can help them if we allow them to”.

The wrong motivation

While IT sales are down by 5% in light of the current economic climate, IT security sales are up by 5%. Why? “Because executives are terrified of the CISO” said Merrill. “When we [information security professionals] can’t scare the executives into writing cheques, we pull out the tactical weapon and promise a breach if the money isn’t spent to put security measures in place”.

While compliance is a main motivating factor for the IT security team says Merrill, CEOs are “more concerned with usability”. This is strange, Merrill continued, because “It’s the CEOs that have personal criminal liability for compliance – but for some reason it’s not at the top of their list”.

“We [the information security industry] are spending too much time focussing on the wrong problem. CEOs want to spend money on monitoring internet use” Merrill laughed.

A common misunderstanding, said Merrill, is that employees what to use various technologies and social media for personal, and inappropriate use. “Actually, a lot of people want to use better technology to engage in work-related activities, but they’re being prevented by various policies”.

It’s proven, said Merrill, that companies that make the ‘best places to work list’ make more revenue. “An organisations goal therefore should be to create value for users and take some back as revenue”.

What makes employees happy? “Being encouraged to innovate. We need to find a way to enable people to do this” Merrill concluded.
 

This article is featured in:
Business Continuity and Disaster Recovery  • Compliance and Policy  • Data Loss  • Internet and Network Security • Security Training and Education

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012