Cyber Talk
A Discussion with Lumigent’s Director of Product Strategy
Peter Utzschneider

ITSS: What is the biggest security challenge facing information security managers today?
Utzschneider: The biggest security challenge is being able to take a more holistic view of security that recognizes the role of IT in securing business information. This extends well beyond deploying and managing traditional perimeter security (firewalls, intrusion detection, etc.) to assuring the overall integrity of business data as it relates to compliance, insider abuse, privacy, etc. In short, information security managers have to understand and help mitigate the risk associated with authorized data usage, not just assure authorized access.


ITSS: What are the greatest risks companies face in protecting information assets?
Utzschneider: Companies have to deal with increasingly diverse sources of risk to their data at a faster rate. Just as traditional perimeter security is no longer very effective against rapidly morphing worms, traditional internal policies or controls for securing data at rest are inadequate for protection against misuse by internal users, privileged users and external users. In order to reduce risk and ensure proper usage, companies need to regularly check that rights and configurations meet an established security baseline, and track all usage of data.

ITSS: What is the information security gap and why does it matter?
Utzschneider: The information security gap is the difference between an organization’s understanding of the state and usage of its data, and the actual state and usage of its data. To date, companies have primarily focused on access controls (primarily unauthorized) at the network level as opposed to understanding how authorized users can and are using data. Until now, attempts to ensure the integrity of critical information have been entirely manual, incomplete, costly and labor-intensive. Until such time, as companies fully understand the state of their data and how it is being used, their ability to address privacy, compliance and risk management will be limited.

ITSS: How can an organization close the gap?
Utzschneider: Organizations need to reconcile how their information assets are intended to be used (as prescribed through internal IT controls) with how they are actually being used. The best way to address this problem is through the use of technologies that continuously assess, audit and manage the security risk associated with their information assets. Using these tools, organizations can ensure the integrity of their information systems and get an accurate, real-time assessment of how data is being created, accessed, changed and used. With this insight, organizations can close the gap and raise their confidence in the integrity of their information systems.

ITSS: Why is vulnerability assessment critical to an enterprise?
Utzschneider: Vulnerability assessment enables companies to know, on an ongoing basis, whether data assets are above or below accepted levels of security. This information is the difference between knowing what the state of a data server, is at any point in time, and not knowing what the state of the system is after it was put into production. Without this information, companies do not easily know who has access to what and what affect system configuration changes may have on the overall security of the system. The best news for organizations is that vulnerability assessment tools are improving, moving beyond a single set of signatures that deliver a one time list of vulnerabilities. Today’s vulnerability assessment tools provide a complete framework for measuring and assessing the state of vulnerabilities over time. They enable companies to define assessment policies that match the desired level of security for the organization and provide baseline reports for simplified comparisons between any two assessments. This allows companies to quickly know whether the state of their systems has changed, for the better or worse.

ITSS: What are the top questions an organization should ask periodically?
Utzschneider: Firstl organizations should periodically ask themselves who should have what rights to access what, and what are they supposed to be doing with that access. Second, they should reassess the policy governing data access and usage and ensure that the answer to the first question reflects current policy. By asking both of these questions periodically, the organization can ensure that usage and policy are not far apart.

ITSS: What are the critical steps that should be taken to reduce an organization’s risk?
Utzschneider: There are several steps that have to be part of an ongoing process which targets reducing and managing residual risk over time:

1. Identify and prioritize information assets.
2. Document and publish a policy on how and by whom the information assets should be used.
3. Ensure that the appropriate controls are in place. Test them and regularly validate that the controls are working.
4. Trust, but verify by continuously auditing data assets for a complete evidentiary record of who is using them and how they are being used.
5. Start over and repeat.

<< Previous Page