Invest in a Strong
CSO"> And if that werent enough, the security firm will track the time between when it told the vendor of the exploit and when the vendor patched it, so that even if no one is ever actually damaged, the perception is created that the vendor isnt responding fast enough. In short, it doesnt matter whether the vendor is in an open-source or closed-source world; it has a target on its back. No matter how vendors dodge or what they do, they are going to get shot. That just doesnt seem right to me.In the current environment, where the tendencies both to spend ineffectively and to overspend are extremely high, this role has never been more critical. You need someone whose loyalties are clear to protect your and your companys interests. Allowing security firms to benefit by increasing our exposure is a fools game. It is only by positioning well-trained and capable security professionals who are loyal to us that we have a reasonable chance of not being taken advantage of. In the end, we should collectively reward the security firms who dont add to the problem and not do business with companies that appear to be working to increase our exposures and costs just so they can sell products. Whether or not you have a CSO, this policy should be a high priority for any CIOs wanting to help return their companies environment to one that is both safer and easier to manage. Rob Enderle is the principal analyst for the Enderle Group, a company specializing in emerging personal technology. Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis. Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:
There are places you can go, such as the Organization for Internet Safety, that can help put things in perspective. But the best route is to have a chief security officer (CSO) with the resources to fully assess the risks, implement appropriate protection for those risks and translate the massive amount of security information into actionable, internal bulletins.