Offensive line: Fighting back against hackers
Joel Yonts, the CISO of a Fortune 500 automotive supply company, isn't pleased with many of his peers. Their complacency and timidity around security is widening the chasm between victory and defeat by an ever-growing margin, and simply put, the losses really are piling up.
In security, where the threats evolve on an almost daily basis, most organizations – even ones operating the most proficient networks – seem content with the traditional perimeter-based, compliance-focused approach of battling the enemy, Yonts says. Such block-and-tackle tactics, as they are known among security pros, may work against the so-called low-hanging-fruit threats – things like SQL injections and common trojans – but they hit a brick wall when it comes to dealing with more sophisticated weaponry, like espionage malware.
“I am tired of [hearing], ‘We are defending at the gate and we are winning,'” says Yonts, 40, the CISO since 2006. “No, we're just letting the attackers attack us as many times as they want until they get in.” He blames this inherent defect on an industry where security programs largely have been built by the guidance of audit firms, which place heavy emphasis on meeting compliance mandates, such as Sarbanes-Oxley, and apply a good deal of weight to guarding against the insider threat, often overlooking today's advanced adversary.
- Tue, 2013-05-14 00:12
- Thu, 2013-05-09 11:36
- Wed, 2013-05-08 00:06