A newly constituted board of IT security advisors put together by HP, Inc. this week provided a measure of comfort to IT security professionals by revealing that IT security requirements are now finally being baked into IT procurement processes.
Speaking at a HP Reinvent Worldwide Partner Forum this week, Robert Masse, a partner at Deloitte with more than 20 years of experience in cybersecurity, says it’s becoming more common for request for information (RFI) issued by procurement departments to now have specific provisions that address IT security requirements.
Joining Masse on the HP Security board are MedSec CEO Justine Bone and board chairman Michael Cacce, an independent IT security consultant also known as “Mafiaboy.” Bone says a lot of organizations are now moving to push as much responsibility for IT security back on the vendors that provide them IT infrastructure and security. As corporate boards become more aware of IT security issues many of them are directing procurement officers to include IT security as a standard element of the procurement exercise, says Bone.
Of course, IT security professionals have been asking for just that for years now. Most IT security professionals are tasked with securing an IT environment that they have little to no influence over what elements get included. The result is often a raft of IT infrastructure and applications that from a cybercriminal perspective or little more than sitting ducks.
The HP Security Advisory Board is divided in terms of whether the IT security war is being won or lost. Cacce says that because it’s now so simple for cybercriminals to launch attacks the easy money that can be made means their ranks continue to swell. Because any one of the attacks launched by those cybercriminals need to be successful only a handful of times to provide a return on investment (ROI) for the cybercriminal the odds facing IT security professionals are decidedly stacked against the, says Cacce.
Bone is a little more optimistic as more companies start to implement what she described as “active defenses” that involve organizations making counterattacks against cybercriminals to neutralize attacks. The issue that organizations have to be keenly aware of when engaging in that activity, cautioned Masse, is that cybercriminals are very adept at hiding their tracks. It’s easy to assume an attack is emanating from one location only to realize later the attack was launched half way around the globe. Attacking the wrong target then becomes fraught with legal issues, including violating the sanctity of a country’s border in a way that creates an international incident. Despite those concerns, however, Cacce says organizations may have no choice now when it comes to engaging in more proactive defense measures.
Vali Ali, chief technologist for security and privacy at HP, Inc. says ultimately the IT security war will be won because the alternative is not acceptable. To achieve that goal Ali says vendors such as HP are embedding security technologies across their product portfolios, including in the case of HP securing the BIOS software it ships with its systems.
The one thing that board does agree on is that the attack surface that needs to be defended is widening. Defending that wide a front may very well be impossible as organizations embrace the Internet of Things (IoT) era. In fact, the most important IT security decision any organization might need to make going forward is where to concentrate their limited IT security defenses.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.