Technical CSO x Gartner's MBAs

One small interview by Brian McKenna with Paul Henry, in Infosecurity Today magazine (Nov/Dec issue) caught my attention as it sheds a very bright light over an interesting topic, the "trend" of security teams starting to be composed more with guys like a MBA than technical personal.

Well, Mr. Paul Henry is very clear, and his toughts fit my opinion too, in saying that a security team can't be made only by "business guys". He is right to point out that the results would be policies and procedures that wouldn't be followed because of lack of technical enforcement safeguards. His examples use situations where people security awareness can improve a lot the security but is not enough to achieve the desired level.

He also points out a very interesting opinion about research companies like Gartner on indicating this businessmans trend. This would put more guys that like to hear their opinions and can't challenge their technical positions in charge of security departments, making their job a lot easier.

I strongly agree with Mr. Henry. Yes, security is not a technology problem only. However, technology is a very big part of the problem (and of the solutions). The people dealing with it need to know about the technology involved. CSOs use to participate on several meetings about new projects or technology products being bought by the organization. They need to, at minimum, know how to detect that something was made without security in mind. Unfortunately, most CSOs that I know can't even do this basic analysis.

Domain Isolation and Cima

There is a very good security professional in Microsoft called Fernando Cima. He wrote an article about the Domain Isolation strategy implemented through the use of IPSecurity, from Windows 2000 and above. There are some thing that I didn't know about, like the simpler version of the system introduced in Windows 2003 and Vista. I see this approach as a very good alternative for 802.1x, even because it can include encryption. Cima also shows how to include systems that do not support IPSEC in the system, using ISA Server as a gateway. Very clever solution.