What is the best thing Santa could bring the IT security manager?

Security leaders from the ISF, BCS, ISACA, (ISC)2, Tif and ISSA present a wishlist for securing corporate systems in 2010

Howard A Schmidt

President, Information Security Forum

When we are young we think that Santa can do anything and our wishes will come true. As we get a little older and wiser we realise that sadly this is not the case - but it's nice to dream.

With this in mind, the single most important thing that would transform the job of IT security managers would be if they woke up on Christmas Day - or any other day - and found that all the security vulnerabilities in their software had suddenly disappeared.

While today's security threats are many and diverse, the ability for viruses, Trojans, worms and botnets to exploit weaknesses in everyday business software is responsible for more headaches suffered by IT security managers than many other security issues.

While software developers have been working hard to iron out the vulnerabilities in new software, it is impossible to imagine a time when hackers and virus writers will not find gaps to exploit. And we must not forget that the all of us as software users have a part to play in making life more difficult for the IT security manger.

Some people may argue that what the IT security manager needs from Santa is simply the cloud. But the cloud is not a new offering - it has been around since the 1990s. And while applications in the cloud may shift some of the responsibility for software vulnerabilities off the shoulders of the IT security manager - if something goes wrong they will still wake up with a hangover.

However, whether you will be celebrating Christmas or not, I am confident that by working together, IT security managers are better placed to face the challenges and threats in 2010 than ever before - without the help of Santa.


Peter Wood

Member of the ISACA Conference Committee

My first thought was "perpetually secure systems and software". Then I realised that criminals would just find another way to steal our data. Perhaps I needed to look at this in a different way. Over the past 20 years, one thing has remained at the heart of all security breaches - ignorance. Ignorance, not stupidity, please note.

With the right motivation and education, technical staff, regular users and even senior management can mitigate most security vulnerabilities and block most attacks. Just look at where the real problems manifest: lost laptops, unpatched systems, insecure software and system configurations, poor passwords and a general susceptibility to con artists.

Every day we all battle against users who continue to click on phishing scams, managers who demand insecure smartphones, staff who leave laptops in taxis and trains. No matter how good our technical controls are, someone will unintentionally poke a hole in our defences.

If we insist on two-factor authentication, staff will leave their SecurID token and Pin in their laptop bags. If we require nine-character passwords containing upper and lower case and numbers, people will choose "Password1". When we install building entry systems requiring individual proximity cards, someone will let you in the smoker's entrance.

So, dear Santa, please give me a magic wand which will automatically instil good security practice in everyone's head, along with the motivation to do things the "right way" and protect not only the business but their own future at home and at work. The magic wand must give them the wisdom and maturity to think before they act, and to replace convenience and laziness with responsibility and care.


John Colley, CISSP

Managing director EMEA, (ISC)²

The best thing Santa could bring the IT security manager for Christmas would be an end to all botnets. This would of course mean that he would have to have put an end to all software with bugs.

If the software was secure, computers wouldn't have to be patched or updated and at least the machines would be vulnerability-free. Botnets wouldn't be able to hijack them and launch the ever-growing attacks that have become a core foundation for criminals of all abilities to get a hold of the tools and infrastructure required to move their exploits online.

If Santa could take care of this hygiene factor, the holes in poorly written software that continues to be churned out by an industry that appears not to have recognised that it is writing for a connected world, then our world could be released from the mundane - the repetitive operational tasks that should have become obsolete years ago.

Of course, we don't have to be limited to one present from Santa. It would be nice too, particularly if he couldn't stamp out the botnets and software bugs, if he could make users more aware, or at least help them to care. He could just stuff a few savvy users down each corporate chimney, who cared about why security matters, set the example for their friends and make the desire to work securely become in a word, viral. Then the botnets would be far less effective and software less of a concern.

Should we be careful what we wish for? Would a world full of savvy users and no botnets put us all out of work? I have my doubts. Some current headaches may disappear, but information security has never been static. The bad people will still be out there looking to get at what we increasingly value - our data. They will find new ways to get at it and we will be tested to stay ahead of their creativity, while keeping our users savvy.



Committee member of the BCS Security ForumStrategic Panel

Director of information security consultancy Trusted Management

So what would I, a seasoned security professional, like Santa to bring me for Christmas? A bottle of very good single malt would be nice.

Just think, sitting in front of a roaring fire sipping a wee dram all the horror stories of the old year fade into oblivion whilst emerging out of the (alcoholic) haze is a vision of a new year where company boards, chief execs and senior management without exception 'got' the information security message.

But back to the real world, industry-wide adoption of the Sender Policy Framework (SPF) with an aggressive implementation plan perhaps backed by the stick and carrot of supportive government/international legislation would make a great present as it would give a tremendous impetus to cleaning up spam.


Dani Briscoe

Research manager, Corporate IT Forum

Every IT security manager wants something special during this festive season, be it brandy and mince pies or incident-free holidays. When polled, members of the Corporate IT Forum's Information Security Service came up with a surprising number of items that should form part of the everyday arsenal that IS managers need to defend their patch.

One sporting member wished for a pogo stick, no doubt to help him jump higher when asked to, or perhaps to bounce between different compliance frameworks with ease. This would help him achieve a high level of job satisfaction, as he flits from ISO 270001 to PCI via CRC and back to ISO 17799 with little or no effort.

Skates were high on the list of another active member who needed to complete a long list of projects by yesterday, her second wish was a time machine. Useful, but maybe not very practical in today's open plan, hot-desking office space not to mention the fragile budgets.

Control over users is high on the list of many members wanting to curtail mistakes in data-entry - the so called "fat finger issue" - along with ensuring that data is protected. When challenged on what would be required to make a system "totally secure", one DIY enthusiast asked Santa for a piece of string. He plans to hold it up for all to see with the immortal words: "How long is this?"

One of the Forum's more musical members wished for a drum to "beat" the importance of security into his users. On the back of this was also a request for more resources, no doubt to fill the company dragon-boat team.

On a more serious note, members agreed unanimously that the best present ever would be finding the holy grail of security in their Christmas stocking - senior management buy-in and support. Seen by only a few in their lifetime, it would be a wonder to behold in this season of giving.


Raj Samani

Vice-president for communications, ISSA UK

Moving past the personal but very valid needs for everyone this Christmas: namely assurances that they will be in a job in January, what does a security manager want delivered during this festive period?

Chances are, a demonstrative assurance from third parties attesting their information assurance maturity is likely to be pretty big requirement for most managers. The old adage that security is only as strong as its weakest link is ringing true in this world of outsourcing, subcontracting, and offshoring.

Managing risk for an organisation used to be akin to ensuring that information stayed within a physical perimeter. Security managers must now assure senior management that information is secured when hosted by third parties, or when third parties connect to previously isolated information islands.

The current approach to gaining assurance is a constant challenge because:

  • It is almost impossible to objectively compare different "cloud" providers on their information assurance maturity.
  • Current frameworks to provide assurance are largely bespoke or very subjective
  • No common language to provide an objective, quantifiable and easy-to-understand language for senior management exists.
  • There is a real lack of transparency with the use of outsourced "cloud" providers.

Development of a standard that allowed an objective and quantifiable metric would benefit not only the security manager, but also commercial teams and the supplier. Imagine commercial contracts satisfying IA requirements with one line: "all suppliers submitting a tender must be a level-six provider". Suppliers that take IA seriously could demonstrate their diligence with claims they are a level-eight provider, and quickly develop their own USP.

Admittedly, such development has been mooted by a number of commercial, academic and industry associations. In some cases such activities have duplicated one another, or have been industry-specific. Subsequently third parties may have to follow different standards for different customers, and face the prospect of an army of auditors trying to satisfy the multitudes of frameworks.

Finally, there does seem to be a light at the end of the tunnel. The industry has joined together and there is a real optimism that such a framework may be developed and available in late 2010. This may leave tinge of disappointment on the 25th of December 2009, but with the promise from Santa for next year, the security manager's only challenge will be the office Christmas party and being a good boy/girl in 2010.

Read more expert advice from the Computer Weekly Security Think Tank >>

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.