We see an awful lot of fear, uncertainty and doubt heading our way, which almost seems to reflect the state of politics today. Some would say that the IT security market seems to be taking advantage of this. How do you feel about that?
I think that the IT security companies have grown up and no longer are employing fear, uncertainty and doubt as a marketing message. I think what they are saying instead is IT security can be an enabler that can allow companies to do things they would otherwise have been unable to do. And you can open up markets by having IT security. The distinction between IT security and IT management is also blurry. I see less marketing now in terms of fear, uncertainty and doubt.
Howard Schmidt [another head of cybersecurity at the White House] said that people are doing a better job of security. Would you agree with him?
I think many companies have improved their security. Many are taking security seriously, spending the amounts of money they need to spend. If you go back about five years ago I think the average large company was spending 4 percent on its average IT spending. The average company is now spending about 8 percent. You and I both know you can double your spending on security and not achieve security. It's not just a matter of spending. Spending is an important indicator. That indicator would suggest that the companies are taking it more seriously, but it's also what they are spending it on and how they deploy it. Certain industries are doing a much better job. The financial services industry, at least in most modern countries, is doing a very good job.
There are a lot of disparate security bodies and user groups that don't seem to act in a coordinated way. A lot of them talk but don’t seem to have a strategy or roadmap.
Well part of what we do is information sharing. Forums are great places to do that. But all too often the participants have no decision making authority in their own companies and the real problem is persuading the CIO or the CFO that there is a return on investment in increasing security. Information sharing forums are great for technical solutions but haven't been all that great in helping the CISO to tell their story to their superiors.
It seems that most useful piece of information a CISO can have is how to get to the board member, the CEO or the CFOs, and make a case in their language. Every expertise speaks its own language. What would be useful for these user groups is learning ways to speak the language of the people who are making the decisions.
Talkback
Whilst on most occasions I read quickly through the articles on ZDNet, every now and again there is an article of considerable interest to my business. This is such an article.