In the last quarter of IS433 – Security Management at DePaul I posed the following questions. While I’m still reading through the research papers I thought I’d post these to the site.
1. There appears to be a set of security controls that are like commodities an organization cannot do without these days. Some examples may be SPAM or web content filtering, antivirus, authentication technologies, remote access controls (VPN, SSL VPN, etc.). What do companies see as the entire profile of commoditized security technologies (those that do not offer a competitive advantage) and those that set them apart from other organizations? Are there security technologies or controls that do create a competitive advantage, and if so find an organization that has and profile how they have used this advantage. (Possible books: The New School of Information Security by Shostack http://www.amazon.com/New-School-Information-Security/dp/0321502787 ).
2. Related to point 1 above, how has this changed the focus of security groups (or security blueprint) in the past few years? Do security groups or functions focus more on risk management and closer alignment with the business, or do they focus more on making sure the commoditized controls above function correctly? What is the difference between risk management and security?
3. Why are IT auditors so annoying? (That may be a rhetorical question). Has SOX, HIPAA, industry regulations, etc. actually helped focus security functions or organizations or simply created distractions? I’d be looking for research in this area and actual numbers if possible.
4. How are security groups, or are they at all, using metrics to show value to an organization? If so how do they differ from IT metrics? Is IT using metrics to show organizational efficiency and cost savings? If no one seems to be using metrics why may this be the case? Too difficult to track, not a priority of IT management? If security groups are using metrics what metrics seem to hold the most value? (Possible books: Beyond Fear Uncertainty and Doubt http://www.securitymanagement.com/article/security-metrics-replacing-fear-uncertainty-and-doubt, or Beyond Fear by Bruce Schneier http://www.schneier.com/book-beyondfear.html).
5. What are the effects of Web 2.0 or social media and user-generated content on information security? How has media helped or hurt security? Are there safe ways to allow social media, or should we even allow social media as an outlet for users of an organization from a security perspective? This one is very broad and can be taken in many directions…
6. Visualization of security events (Possible book: Applied Security Visualization http://www.amazon.com/Applied-Security-Visualization-Raffael-Marty/dp/0321510100/ref=sr_1_1?ie=UTF8&s=books&qid=1241707763&sr=1-1 or the Edward Tufte visualization books if you dare). Can you generate real data and try some of the techniques presented in the book?
7. Cloud computing and the current state with regards to information security. Challenges? Any major legal issues related to compliance? Do you trust the current providers?
Comments
Very interesting questions! I love the empirical approach (especially) to question 1, and would love to hear if you get a positive answer.