IT security should be a service provider, not a control organization
By Fred Donovan
BOSTON — IT security functions best as a service provider to the enterprise, not as a control organization, observed Wendy Nather, research director for security at 451 Research and a former chief information security officer.
"If you function as a service organization, you can help to break down silo walls. People will come to you and you get better sources of intelligence from your colleagues, and you get a better response from management," Nather said.
Nather was a participant on a security analysts panel held here Wednesday as part of the UNITED Security Summit sponsored by security firm Rapid7.
Another panelist, Rich Holland, principal analyst with Forrester Research, stressed the need to develop relationships in the security industry, instead of building silos between peers and customers.
"I see all this focus on external threat actors, sandboxes, all of this outward focus on what we can buy externally to bring in, but we are not looking in the mirror at our own organizations, our peers, our colleagues, the guys that are in the trenches with us. We are not collecting threat intelligence from our own intrusions," he said.
The Forrester analyst opined that too much money is being spent by companies on external threat intelligence, endpoint anti-virus software and intrusion prevention systems.
"I don't think people do a good job of evaluating the performance of their existing technology, people and processes associated with it," Holland said.
- RAND develops model to help CISOs communicate cybersecurity to the C-suite
- CISOs need to strike a balance between security controls and business freedom, says Gartner
- State CIOs say information sharing--with private sector and public--is key to cybersecurity