Security Out Of Focus: An Incomplete Thought
Amrit Williams, 31/08/2010, posted in "Analysis"
Amrit Williams has over 18 years of experience in information technology, security, and risk management and is currently the Chief Technology Officer of BigFix, an enterprise systems and security ...more info
Amrit Williams has over 18 years of experience in information technology, security, and risk management and is currently the Chief Technology Officer of BigFix, an enterprise systems and security management solution provider. Amrit has held a variety of engineering, management and consulting positions prior to joining BigFIx. Most recently, Amrit was a research director in the Information Security and Risk Research Practice at Gartner, where he covered vulnerability and threat management, network security, security information and event management, risk management, and secure application development. Previously, Williams was a director of engineering for nCircle Network Security, and undertook leadership positions at Consilient, Network Associates, and McAfee Associates, where he worked to develop market leading security and systems management solutions. ...less info
Someone sent me this quote in an attempt to convince me that we should focus on vulnerabilities and not threats…I don’t think they are mutually exclusive, but here nor there…
“Our data tells us that focusing on vulnerabilities is more effective in reducing risk than focusing on threats. In fact, of nine specific types of threats we examined in our survey, none proved to be statistically significantly related to increased risk, although many vulnerabilities were. The enterprise can do little at best to control threats, especially external ones, but it can do a lot to control vulnerabilities. Focusing on vulnerabilities reduces an enterprise’s tendency to react to what is apparently most urgent – such as the threat reported in yesterday’s newspaper – and helps the enterprise act instead to reduce vulnerabilities that might be exploited by any number of threats. No nation can control the level of the sea, but a nation can build dikes to reduce the vulnerabilities of its lands to high waters; no enterprise can control a sea of external hackers, but an enterprise can plug the holes in its network dike that hackers might otherwise exploit.”
In short, vulnerabilities, not threats, are the root cause for high risk exposure, and it’s best to focus on the root cause.
- IT Risk: Turning Business Threats into Competitive Advantage by George Westerman, Richard Hunter, page 126
My response: If you live in the Ghetto, what contributes to your high risk exposure, your lack of steel doors and bullet proof glass or the shitty neighborhood you live in that is full of gangs, thugs, crack whores, and meth addicts?
Subscribe via RSS or via email
