Doing what I do in my day job, I sit
through a lot of presentations on various aspects of security. I had the
pleasure of sitting through a couple of presentations this week (one by a
leading analyst on Web 2.0 security issues, and one by a vendor CTO). My short
version of the takeaways from the talk were that there are a huge number of
security issues related to Web 2.0 technologies, including cross-site scripting
and many more. Many of these existed before Web 2.0, but are exacerbated by
Without rehashing a lot of the detail from
the event, the thing that really struck me was how similar my own internalized
summary from the event was to almost every other security presentation I have
heard in the last five years or so. You could almost use this as the punch line
to every security issues talk: “The security issues are not generally well
understood yet, they are going to be very significant, we’re pretty much
screwed, and we don’t know where the solutions to the problem are going to come
from.“
It’s a depressing conclusion to reach at
the end of most talks on IT security. And I'm generally an optimistic person, so it's not like this is my "glass half empty" self talking.
I am also wading through Geekonomics,
which appears to do a very good job of describing the big picture of how the IT
industry has reached this particular place at this moment.
Jim Hietala, CISSP, GSEC, is Research Director and a
principal of Compliance Research Group,
providing research, analysis, and consulting services in the areas of
compliance, risk management, and IT security. He is also the Vice President,
Security for The Open Group, where he manages all security and risk management
programs and standards activities.
Jim has provided research and consulting services to
organizations such as SANS, The Open Group, and a number of IT security and
compliance vendors. He is a frequent speaker at industry conferences, and he
recently authored a comprehensive course on IT risk management. He participates
in the SANS Analyst/Expert program, having written several research whitepapers
and participated in several webcasts for SANS. He has also published
numerous articles on information security, risk management, and compliance
topics in publications including The ISSA Journal, Bank Accounting &
Finance, Risk Factor, SC Magazine, and others.
An industry veteran, he has held leadership roles at
ControlPath, Avail Networks, Alternative Technologies, eSoft, Qwest, Concentric
Network, and Digital Pathways. He developed and launched the industry’s first
remote access VPN service (Concentric RemoteLink) and encrypting ISDN router
(at Network Express), and launched a compliance and risk management software
start-up in the IT-GRC market.
He holds a B.S. in Marketing from Southern Illinois
University.
Blog: www.compliancefocus.com
Twitter: http://twitter.com/jim_hietala
LinkedIn: http://www.linkedin.com/in/jimhietala
Blogging focus: Compliance, Risk Management, IT Security, IT-GRC software, HIPAA, GLBA, Privacy
Jim can be reached at: jim@compliancefocus.com
