Expert suggests holistic approach to security

MYRTLE BEACH, S.C.'IT security professionals have to find a way to move from reacting to threats to proactive protection, according to a leading security expert speaking at the eighth annual Techno Security conference.

Eric Cole, a senior scientist with Lockheed Martin Corp.'s information technology group and author of numerous books on information security, told the audience that organizations have to first identify their core intellectual property; then they can take the steps needed to guard it.

'If you don't know what you're trying to secure, how can you [know] you have secured it?' he said. 'Just because you're putting money and energy into a problem doesn't mean you're addressing the problem.'

Cole compared many organizations' security efforts to young children's report cards. 'A lot of companies would get E for effort, but unlike elementary school, there is no E for effort,' he said.

Cole suggested that organizations should put far more effort into identifying vulnerabilities and securing them as the only effective way to protect against multiplying threats. He also emphasized that security has to be fully integrated into every layer of IT in an organization.

'In this day and age, you shouldn't be able to isolate out your security on your network,' he said. 'If you can [do it], what's to stop the threat, which can do the same thing?'

Cole suggested that organizations should pay more attention to extending 'least privilege''the least amount of access a person needs to get his or her job done. He cited the Aldridge Ames spy case at the CIA in the 1990s as a very costly example.

Ames' betrayal actually cost lives, yet, 'about 55 percent of the damage that he did was with information he had access to that he didn't need to do his job,' Cole said. The Ames case also demonstrates that organizations need to focus more of their security efforts on the insider threat, he said.

One way to frame the approach to integrating security is to consider it a 'digital watermark,' he said. 'If you remove it, the network should be useless.'

inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group