Readers Viewpoint Daniel Jaramillo Posted: OCT 19, 2005 06:54:28 AM I’m guessing that Mr. Jaramillo did not read the PITAC Cyber Security report, or the National Academies report on the same topic. Ed Lazowska Professor University of Washington The sky is falling Posted: OCT 18, 2005 02:06:50 PM After reading the article “The sky is really falling”; I began to think what is really going on with us, we are always speaking from both sides of our mouth. On one hand we are always saying we have too much government interference in the affairs of private businesses, on the other hand we are also saying we need the government to tell us how to run our businesses. So which do we want? Perhaps, Dr. Lazowska and all the experts at PITAC are shooting themselves in the foot stating that the government and namely the administration of which they are part of "does not value science, engineering, advanced education and research as much as it should—as much as the future health of the nation requires." Let us ask ourselves the following questions: aren’t PITAC and all the experts which are members of that body suppose to counsel and advice the administration on IT issues? Are they not spending tax payer’s money to research and issue their findings and perhaps make recommendations to the administration, so that it can value and prioritize the security and other IT issues? In fact, aren’t they the experts and not the president himself? In my humble opinion, I would expect from such a group of intelligent and highly educated experts a little more than just a report that is telling us citizens and the private IT industry what we are not doing right related to IT security and “why is the sky is falling” I would expect them to provide us with guidelines that will let us know and understand what are the recommendations and potential alternatives that will fix the problem. It is possible that part of the problem is the fact that we are expecting too much from government and the administration, when in fact we all know and understand that for the most part the gains in development of new technologies have been achieved by the private sector without the intervention of government. I believe the technology is out there to secure the information setting in databases and servers and corporate offices. What CIO’s and members of management in the IT industry really need is to focus and put their priorities in the required infrastructure that will allow IT security to be in place. Security needs to be part of the strategic and corporate planning, just like any other high business objective or any other high business priority of the organization. When this is achieved may be we will stop crying like the little shepherd in the story “the wolf is coming” or in this case in particular “The sky is falling”. Perhaps, is not the sky that is really falling, it is possible that without the adequate infrastructure the sky is not really up there. Daniel Jaramillo Sr. Strategy Consultant NorthPoint Consulting Group Tolerance for Risk is a Constant Posted: OCT 15, 2005 06:49:39 PM Volvo discovered that making cars safer only led people to drive faster and more dangerously - as if the level of risk we are willing to tolerate is a constant and we adjust our behaviour to reach that level. I fear that as much as we improve the fundamental security capabilities, as individuals we will continue to accept risks that ultimatley will damage us. I realise this every time I accept a file download from a reputable company that does not present a valid certificate! Of course, I don’t suggest we shouldn’t keep making the worlkd (cars or technology) safer, just that we should measure our expectations for the outcomes. Martin Leach President SteenMain Consulting Inc Missing Tools for the Quantification of Risk in IT Posted: OCT 13, 2005 08:37:12 PM I suspect a major issue here is the fact that CIOs and CISOs still haven’t been given tools that allow them to intelligently quantify risks when it comes to It and information security. Lacking those tools, these executives can only threaten or beg, and that gets old fast in the boardroom. By contrast, financial managers can make a solid case for their required investments, because they can offer a reasonably objective measure of the new risks that must be mitigated with new investments. In the 21st Century, CIOs still don’t have the tools or the language to tell those who control the purse -- the CEO, the board, or outside regulators -- whether their networks or critical systems are more secure this year than they were last year. Lacking effective metrics for risk assessment, we can even quantify the relative increase in security offered by technology we all *know* makes us safer -- say, two-factor authentication, or more complete and secured audit logs. Academia, industry, and government could do us all a favor -- and perhaps define a market, luring innovators -- if they would speak up and explain why the CIO is so ineffectual in justifying the need for resources for security in the modern corporation. I guess it’s just hard to acknowledge that InfoSec pros are still using baby talk: begging, threatening... or sounding like fools, talking (again!) about the damn sky falling. Vin McLellan Managing Director The Privacy Guild We will learn only by mistakes made it seems. Posted: OCT 13, 2005 07:27:07 PM Just like New Orleans, there could be an avoidable disaster that takes place. Just like the levees, we need to shore up homeland cyber security and protection of critical infrastructure. Prevention is a better plan than recovery/continuity. Will it take a digital "Pearl Harbor" to awaken those responsible? The lack of focus and the lack of prioritization in HLS means that there is no plan to seek out, or accept, possible solutions and there is no venue or portal to gain entry into the system if you are not coming from the usual routes (megacorps, academia). We have a new model of security technology that addresses some of the concerns that Dr. Lazowska makes, yet our vendor applications have been sitting on someone’s desk since last fall, maybe lost in the bureacracy forever, for all we know. If IT security was deemed to be of some importance, potential solutions might be flagged for special handling from the moment it was received. Rob Lewis Business Development Trustifier Inc / Googgun Technologies More comments on this article. >>

Voice your opinion. Subject: Comments: First Name: Last Name: Title: Organization: Email: Anonymous post? Yes No Anonymous posts will not display any personal information, but you must include your full real name and e-mail to post; unsigned submissions are deleted. All fields are required. CIO.com Comment Policy