Attn Management: Do Your Security People Have A Clue?

News provided by

Dec 29, 2014, 08:30 ET

BOSTON, Dec. 29, 2014 /PRNewswire/ -- Author Wes Kussmaul says that C-Level executives need to hear about security from sources other than "security experts", whose methods have utterly failed their companies.

Kussmaul claims that "Almost all information security technology depends upon the ability to determine the intentions and character of the sender of a stream of bits. Isn't that like asking your building's lobby receptionist to determine the intentions and character of everyone who walks through the door ? Doesn't your common sense tell you that's impossible ?

"Instead, your receptionist asks for ID, establishing who's accountable for what happens while the visitor is in the building. That's much more effective than trying to guess whether they're friend or foe, good guy or bad."

Kussmaul further asserts that security tools built upon flawed friend-or-foe assumptions are ineffective, and top management is starting to sense the problem. In promoting a white paper, SC magazine reports that "C-level executives regard the role of CISO primarily as a target for finger-pointing in the event of a data breach, and have little faith that individuals in the role could hold other leadership positions."

There is a different way to establish reliable and effective information security – and top management wants to hear about it in business media. From Kussmaul's book entitled Don't Get Norteled:

"Are you familiar with the intricacies of firewalls, malware signatures, intrusion detection, intrusion prevention systems, security incident analysis tools, advanced persistent threat mitigation, DLP ?

"No ? Good ! Because those things don't work.

"...For hundreds of years physicians practiced bloodletting, the draining of blood from a patient in order to rid the person of an overabundance of a certain type of 'humor,' despite plentiful evidence that bloodletting was useless at best, and surely despite some skeptical looks from patients and their families.

"No one likes to confront evidence that something in which they've invested their professional lives is useless. I am not a practitioner of information security because I have seen that the practice of information security does not produce information security any more than the practice of bloodletting produces health.

"Authenticity, on the other hand, is a goal worthy of the efforts needed to achieve it. And in producing authenticity we get an important byproduct: information security.

"...The authenticity this book advocates and enables comes from knowing the accuracy of others' claims of identity with measurable reliability, and being able to hold the identified parties accountable for their actions while using that claim of identity, while not knowing the identified person's name, location, or any other item of information about them.

"Anonymous accountability. Accountable anonymity. We can have it, and we can have it pervasively."

Don't Get Norteled, 464 pages, written for CEOs, COOs and CFOs rather than technologists, ISBN 978- 1-931248-25-9, published by PKI Press, is available in eBook and print from the PKI Press Bookstore, http://pkipress.com ...Review copies available.

PKI Press was established in 2001 to serve readers interested in issues of identity, authentication, privacy, and online community.

Contact:
Harvey Wharfield, Post Oak Associates (978) 635-9586
Email | @PKIPress

Photo - http://photos.prnewswire.com/prnh/20141226/166152

To view the original version on PR Newswire, visit:http://www.prnewswire.com/news-releases/attn-management-do-your-security-people-have-a-clue-300014042.html

SOURCE Wes Kussmaul