Interview with Ken Cutler, Vice President, Information Security, MIS Training Institute
by Mirko Zorz - Wednesday, 12 January 2005.
Vulnerabilities should be disclosed, as promptly as possible by the affected IT product vendor(s), accompanied by corrective action (e.g., software patch, additional firewall/intrusion prevention system filtering, security configuration changes or other tightening of access controls). A major concern by opponents of full disclosure is that by revealing the details of the vulnerability, it accelerates the creation of exploit scripts that can be used to attack the vulnerability. The software patches are also a resource to future attackers who can reverse engineer them to provide ideas on attack schemes. Some of the opponents of disclosure are the software authors/vendors themselves who failed to properly code and test their software that created the vulnerabilities in the first place…then the customer is again put back on their heels trying to keep up with all of the patches and possible side effects associated with those patches. Vulnerabilities must be disclosed in a timely fashion as long as the announcement includes a fix which may be a patch, a configuration change, or both. Consumer organizations must be able to protect themselves and test for vulnerabilities, so I don’t see any practical way to keep the vulnerabilities a big secret. What you don’t know…can kill you!

What is, in your opinion, the biggest challenge in protecting sensitive information at the enterprise level?

The biggest challenge is getting the full support of all levels of management and the work force in making information security a sincere top priority on a continuous basis. Senior management support, accountability “up and down the line”, relentless security awareness, and training are the key ingredients. Technical and physical security safeguards are no better than the people who administer and use them.

What are the future plans for the MIS Training Institute? Any exciting new projects?

MIS is continually in the process of securing new and industry-leading speakers and keynotes for our upcoming event schedule. For our 2005 conference schedule, several new events have been introduced including Cracking E-Fraud, The Conference on Enterprise Risk Management, The Summit on Managing Security & Privacy Compliance in the Era of Sarbanes-Oxley, as well as IT Security World in San Francisco. IT Security World is unique in that it will feature a full conference, including Sector Summits such as HealthSec, FinSec, GovernmentSec, LegalSec, EnergySec and CISO Executive Summit.

Detailed information on all of these events can be found on our Web site. I would encourage readers to visit the site for the most up-to-date information on upcoming conferences, seminars and symposiums.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th