NEWSLETTERS
 

CIO.com updates, insights and advice on technology, management and your career.

 CIO BlackBerry News and Tips
 CIO Research and Analysis
 CIO Microsoft
 CIO Insider
More Newsletters | Edit Profile
 
RSS Feeds »
 
 
SUBSCRIBE TO CIO
 
Are you involved in setting the direction for your company's IT budget or strategy?

Apply today for a FREE subscription to CIO Magazine!

Subscription Services »
Reprints »

 


Fri, Apr 13, 2007 9:34 EDT

Risk, Not Security

Posted by: Christopher Koch in Rants

Topic: IT Organization Management

Blog: Koch's IT Strategy

Current Rating: 5 Comment: 1

We have to shift the emphasis on IT security to larger discussion about business risk. Why? Because we associate IT security with things that have become a very small subset of a much larger and continually growing circle of information technology risk.

Think this is just pointless semantics? Consider this: We have been trained over time to associate IT security with certain actions--protecting the perimeter of the data center, for example--and certain products--intrusion detection, encryption, firewalls, anti-virus software, etc.--that are all merely tactical and do not address any of the real strategic issues in protecting people and organizations from threats.

Here's an example: Ask consumers what they should be doing about internet security and they'll probably say (if they even know) that they should install firewall and anti-virus software on their computers and keep them updated. Few, if any, of these people would consider a wireless router to be a security device, yet the risk that wireless routers pose to their safety online is much higher than the risk that something will sneak through anti-virus software.

In this study, researchers Rajiv Shah and Christian Sandvig found that only about 50 percent of consumers changed the default settings of their wireless routers to switch on encryption and rewrite the default administrator passwords that are easily available to anyone with an internet connection and a web browser. It's also pretty easy to find people's router locations--there are maps of them available.

Wireless routers represent a huge, emerging risk even though we still don't think of them as part of security. An open router is like a key to the kingdom, "a gateway for eavesdropping, redirection to fraudulent websites, and traffic profiling. These capabilities grant the attacker nearly total control over how the network’s clients interact with the Internet," writes Markus Jackobsson, an academic and security consultant in this chilling report.

But there's been no shift in the configuration of routers since they were originally introduced--when the extent of their risk was considered to be only that some freeloader would jump on and hog your bandwidth. Routers haven't made it into that small circle that we think of as IT security, so the larger risks aren't addressed.

By limiting our scope to IT security rather than risk, we ensure that the emphasis remains tactical rather than strategic. What's the tactical response to open routers? Provide consumers

You do not have flash or javascript support.
Average (4 votes)
5
comment icon Reply
 
All Comments Comments
 
Fri, Apr 13, 2007 15:23 EDT
Risk, Not Security
Anonymous user
Posted by: Anonymous
Rating:

Another impressive entry, Mr. Koch. Underlying this whole article is one other issue: business leaders are not being held accountable for their lack of management over technology.

We think that by putting a CIO in place that "solves the problem". Thinking about the business, its risks and opportunities, its state and prospects, is every executive's job. While the use of a professional leader with domain expertise is a good idea - no one really wants someone with a background in sales running finance, or someone with a backgorund in regulatory affairs in charge of H.R., for instance - abdicating responsibility in the way North American business does indicates a degree of managerial irresponsibillity that needs more than just outside bodies (e.g. insurers) to step in.

There should be more blood on the carpet than there is, even in this SOX-laden world.

So what would help? Executive committees are our answer to managing boards in European companies. But they don't really act on issues. So boards of directors, representing investor interests, need to step in and demand that the company actually be managed. Here is a place where Directors & Officers insurance could be used to make that change happen - want a policy, demonstrate you actually do manage the business in all its aspects.

You do not have flash or javascript support.

Post new comment

* Subject:
* Username:
* E-mail:
The content of this field is kept private and will not be shown publicly.
Homepage:
* Body:
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <img> <blockquote> <strike> <p> <br>
  • Lines and paragraphs break automatically.
More information about formatting options

* Denotes required field.
About this Blog

Good, honest conversation about what works and what doesn't for creating an enterprise IT strategy that aligns with the business strategy of the company.

Start a Conversation
Click to post

Got something to say? We want to hear it! Click the Post button to get started. GO»

EXPERT ADVICE
See our roster of experts.

Advice & Opinion from more than 113 of IT's most insightful thinkers.

  PARTNERS       WEBCASTS    
 

Windows 7 Webcast Series

There's a lot of buzz about Windows 7 out there. Each month in our webcast series, listen to analysts and customers discuss how Windows 7 and the Windows Optimized Desktop is impacting large companies around the world. Learn how they evaluated Windows 7, including the cost of deployment, deployment strategies, and tangible benefits.

Sponsored by Microsoft  Listen to on-demand Recordings »

 

Service Level Management Best Practices Life Cycle Overview - Improve Service Levels

Best practices for Service Level Management (SLM) is a process for consistently meeting customer requirements and delivering on IT's promises. See the steps required to ensure high-quality SLM.

Sponsored by Compuware  Read this White Paper »

 

Keeping Your Members Safe from Online Scams and Predators

In order to keep fraudsters out, romance sites must deploy effective solutions that look at information independent of what is supplied by users. A device fingerprinting solution such as iovation ReputationManager™ provides unique insight into the computers being used to create multiple accounts and exposes hidden device-account relationships that identity-based fraud solutions often miss.

Sponsored by iovation  Read this White Paper »

More Partners »
Resource Alerts

Get instant email notifications by topic when white papers, webcasts, and case studies are added to our library.

More Podcasts »
Resource Alerts

Get instant email notification when white papers, webcasts, and case studies are added to our library. Don't just be up-to-date—be up to the minute with our new Resource Alerts.

Defend Against Blended Threats: What You Need to Know

Blended Web and email threats are becoming increasingly complex and represent a huge...  View Now »

 

Prescriptive Actions to Reduce Risk

In this Webcast, learn best practices for effective systems management in a heterogeneous environment and keep client systems cost under control.   View Now »

 

Webcast- Vantage 11: Redefining Application Performance Management

Compuware's latest release, Vantage 11, is a major advance in end-to-end application performance management--bringing together proactive issue identification, quantification of business impact and problem resolution into a single solution. Tune in to learn how Vantage 11's top-down approach helps you make better decisions and dramatically lower operations costs.  View Now »

More Webcasts »
Resource Alerts

Get instant email notification when white papers, webcasts, and case studies are added to our library. Don't just be up-to-date—be up to the minute with our new Resource Alerts.

 
NEWSLETTER

Sign-up for the Blogs & Discussion Newsletter

 
FEATURED SPONSORS
 
 
 
SPONSORED LINKS
 

Return on Information: Google Enterprise Search pays you back. Get the facts.

VMware. The source for Business Infrastructure Virtualization.

ShoreTel tells businesses to untangle from competitors' complexity and turn to its brilliantly simple UC solution

See how AT&T can help protect your network.

Streamline IT Costs. Boost Performance with WAN Optimization.

Build your 1st app FREE with Force.com

TDWI checklist helps define data readiness for analytics. Download report.

A Clear View Toward Virtualization

Virtualization Technology as a Business Solution

The rules of infrastructure management just changed.

A Clear View Toward Virtualization

Interactive Q&A helps you discover key ways to maximize IT assets.

Ready to virtualize tier one applications? Check your virtualization maturity.

Think you can't afford a Cisco Switch? Cisco Catalyst Switches are now more affordable.

Five minute business analytics assessment. Immediate results.

The Case for Investing in Business Analytics Technology. Read white paper.

Upgrading to VMware vSphere with vWire

Top 10 Lessons Learned for Corporate 3G Mobile Broadband Deployments

CRM Built for IT: The Executive Guide to Selecting CRM that Meets IT Needs

Return on Information: Google Enterprise Search pays you back

ROI of Application Delivery Controllers

Making Consumer Two-Factor Authentication Simple and Cost-Effective

Mining the Cloud to Ease the Enterprise Compliance Burden

Solve Five Key IT Security Challenges with Cloud-Based Authentication

White Paper: Right-Sizing Your Power Infrastructure

AT&T Synaptic Storage as a Service. Expand on demand

Trend Micro ranked #1 against real-world malware. Read more.

Webinar: Jump-start your in-house e-discovery with Ringtail QuickCull from FTI Technology

Top Five CIO Challenges

Read the RSA report: Security for Business Innovation

64-page prescriptive guide to security, compliance, and IT operations.

Increase UPS efficiency without sacrificing protection.

eZine: A Roadmap to Reducing IT Complexity

Reduce risk, gain agility. See how Progress can help your business.

Virtualization Technology as a Business Solution

eZine: A Roadmap to Reducing IT Complexity

World-class trading technology solutions from NYSE Technologies.

If You're Paying for Telecom, You're Paying Too Much. Contact Asentinel Today.

Trade-In your old printer and save up to $1,000 plus free recycling!

infoBOOM! - The Mid-Sized Company CIO's Exclusive Community

Live Webinar: Applying Business Analytics. Click here to learn more

Removing Barriers To Better Server Virtualization Efficiency

4G Revisited. The Continued Evolution of Wireless Mobility.

What's Next for Enterprise Resource Planning?

Maximizing website Return on Information with high-quality search

Gartner Magic Quadrant, Application Delivery Controllers 2009

Authentication as a Service by Forrester Research

Cloud-Based Authentication for Next-Generation Extranets

Cut Costs & Green Your IT Operations with PC Power Management

White Paper: 4 Customer Service Myths