Issue link: https://securitytechnologyexecutive.epubxp.com/i/656764
58 SECURITY TECHNOLOGY EXECUTIVE • February/March 2016 www.SecurityInfoWatch.com COOL AS MCCUMBER B y J o hn M c Cu m b er A John McCumber is a security and risk professional, and author of "Assessing and Managing Security Risk in IT Systems: A Structured Methodology," from Auerbach Publications. If you have a comment or question for him, e-mail Cool_as_McCumber@ cygnusb2b.com. s a child, I loved to listen to my mother singing along with popular songs of a bygone era. One of her favorites was a Doris Day melody of the period called Que Sera Sera. For you youngsters who aren't familiar with the tune, the opening lyrics were: "Que sera, sera / Whatever will be, will be / The future's not ours to see / Que sera, sera…" This whimsical and lighthearted song obviously provided my severely handicapped mother with a philosophical tactic to look at the uncertain future she and our family faced in the early 1960s. It echoed the advice I often received from my father that worry was simply paying interest on a debt you may never owe. My parents worked hard to provide their five children with what they needed in spite of illness, relocation and job concerns for my father. They didn't fear the future; instead, they focused on dealing with the problems at-hand, and passed that wisdom down to us by their stalwart example. We were taught that life was ten percent what happened to us, and ninety percent how we responded and managed the hand we were dealt. Last week, I sat in a meeting with several company executives as they wrestled with the challenges of a major security breach. Their chief security wonk was taking a risk- avoidance stance and was defending his earlier decisions to prioritize various tech- nology investments he had recommended in order to prevent what was now a known attack, and a subsequent loss of sensitive data. The breach had started by a com- promise of a third-party system not even under his direct control. His face was red, and his defensive responses to questioning resulted in a stressful and ultimately inef- fective meeting. The risk avoidance approach has been decried for at least a decade and a half now. The industry standard has become risk management. They may appear similar, but they are most certainly not. Risk manage- ment recognizes the axiom that one must prevent what you can't detect, and detect what you can't prevent. That's the funda- mental principle driving the evolution from purely defensive capabilities to establishing the infrastructure necessary to "hunt" for threats in your systems and ensuring you have plans and procedures in place to limit the damage from attackers, internal threats, and natural disasters. Risk management requires the professional to take a dispassionate look at all the vulnerabilities, assess threats, manage safeguards, and make reasoned recommendations. When bad things happen, it also pro- vides a framework to effectively respond and deal with a crisis. It is cer- tainly not the laissez faire attitude of Que Sera Sera, but it does recognize that we don't control all the variables that will ultimately impact our busi- ness. In spite of all the media finger-wagging after the breaches at Target, Home Depot, and even the Office of Personnel Management, people still shop at Target and Home Depot, and OPM slogs onward. Life goes on. The future is not ours to see. We just need a strategy to deal with it. ■ Que Sera Sera EDITORIAL Group Publisher ...................................Nancy Levenson-Brokamp 800.547.7377 ext. 2702 • nbrokamp@southcomm.com Editorial Director/Editor-in-Chief ................................ Steve Lasky 800.547.7377 ext. 2221 • slasky@southcomm.com CONTRIBUTING EDITORS David G. Aggleton, CPP Kevin Beaver, CISSP Ray Bernard, PSP, CHS-III Ray Coulombe Robert Lang, CPP John R. McCumber Robert Pearson, CPP George Campbell EDITORIAL ADVISORY BOARD Christopher B. Berry, CPP, VP Global Security & Safety, Henry Schein Inc. George Campbell, Emeritus Faculty Advisor, Security Executive Council Eric W. Cowperthwaite, CSO, Providence Health & Services Elizabeth Lancaster Carver, Member Services and Projects Manager, Security Executive Council Richard L. Duncan, CPP, Dir. Security, Hartsfield-Jackson Atlanta Int'l Airport John B. Leavey, Director of Corporate Security, AIG Karl Perman, Director of Security, North American Transmission Forum Art Director ................................................................ Bruce Zedler Production Manager ............................................. Jane Pothlanski 800-547-7377 ext. 6296 • jpothlanski@southcomm.com Audience Development Manager. .............................. Sue Hanson SUBSCRIPTIONS CUSTOMER SERVICE Toll-Free (877) 382-9187; Local (847) 559-7598; Fax (800) 543-5055 Email: Circ.SecTechExec@omeda.com SALES CONTACTS Midwest Sales Brian Lowy 800.547.7377 ext. 2724 brlowy@southcomm.com West Coast Sales Bobbie Ferraro 310.545.1811 bferraro@southcomm.com East Coast Sales Janice Welch 800.547.7377 ext. 6288 jwelch@southcomm.com Display Sales Kristy Dziukala 800.547.7377 ext. 1324 kdzlukala@southcomm.com LIST RENTAL Elizabeth Jackson 847-492-1350 x18 • ejackson@meritdirect.com SOUTHCOMM REPRINT SERVICES To purchase article reprints please contact Brett Petillo at Wright's Media 1-877-652-5295 x118 or e-mail bpetillo@wrightsmedia.com SECURITYINFOWATCH.COM Group Publisher ...................................Nancy Levenson-Brokamp 800.547.7377 ext. 2702 • nbrokamp@southcomm.com Managing Editor ........................................................... Joel Griffin 800.547.7377 ext. 2228 • jgriffin@southcomm.com SOUTHCOMM BUSINESS MEDIA CEO, Chris Ferrell CFO, Ed Tearman COO, Blair Johnson EVP Public Safety & Security, Scott Bieda VP Events- Public Safety & Security, Ed Nichols VP Production Operations, Curt Pordes VP Technology, Eric Kammerzelt Published by Southcomm Business Media, Inc. www.SecurityInfoWatch.com PO Box 803, 1233 Janesville Ave., Fort Atkinson WI 53538 920-563-6388; 800-547-7377