Security management in 2008: What is in store 2008安全管理:孕育着什么
Mike Rothman 迈克.诺斯曼
翻译:杨峰、马志颖
RSS FEEDS:
Enterprise IT tips and expert advice
It's once again that time of year that marks the "silly season" of technology prognostications. Everyone often likes to pretend they know exactly what the year to come will bring, but alas, few of us are ever right on the money. But that won't deter me from providing some viewpoints on what security managers should expect in 2008.
现在又是每年缺乏关于技术预测的时间了。每个人常常喜欢假装他们准确知道未来的一年将带来些什么。但是,我们中的很少一部分人能做到完美至极。然而这不会阻止我提供一些关于安全经理将在2008年预期什么的观点。
Before we dive into the future, let's take a few minutes and examine the past year. Security management in 2007 was preoccupied with compliance, specifically PCI DSS. But that makes sense, given that almost every company accepts credit cards in some way, shape or form and thus is on the hook for PCI compliance.
在我们探讨未来之前,我们先花几分钟对过去的一年进行回顾。在2007年安全管理关注于合规,特别是支付卡行业数据安全标准(PCI DSS)。但有意义的是,几乎所有每个以某种方式接受信用卡的公司,无论是形状或者形式,都符合支付卡行业标准合规。
The sad truth is that compliance is still the engine that is running most security operations. As my brother says, "no es bueno"(是不好的) or that's no good. We as security professionals still struggle to show value to the rest of the organization. No one argues that preventing a major breach adds value, but how much value? Is that in sync with the amount of money invested in security? These are important questions to answer.
可悲的事实是合规仍然是正在运行绝大部分安全操作的引擎。如同我的伙伴说那个是没有用处。作为安全专业人员的我们,依然为显示组织其余的价值而努力。没有任何人争辩预防一个主要缺陷能增加价值,但是增加多少价值呢?是把大量的资金同时投入到安全管理中吗?这些都是需要回答的重要问题。
As we focus on 2008, the first order of business for security professionals should be implementing a structured security program that is focused on protecting what's most important to the business, setting goals and milestones to ensure accountability and communicating how and why certain security controls are implemented. The end goal is to distinctly show the value and importance of security to the operations of the business.
当我们关注于2008时,首先为了行业的正常安全秩序,专业人员将执行一套结构化的安全程序,聚焦于保护行业中最重要的安全、确信负责地设定目标和里程碑,传达怎样和为什么执行确定的安全控制手段。最终目标是清晰地展示安全对商业运作的价值和重要性。
Unfortunately, vendors are not going to be helping in terms of making the life of a security professional easier. That's right, don't hang up your tool belt or duct tape quite yet; 2008 will bring a lot more integration of disparate tools to try to make sense of what is actually happening. Security information and event management (SIEM) will continue to disappoint as most of the vendors in that space will spend 2008 giving their products brain transplants to seem more like log management offerings.
不幸的是,销售商不会轻易得到安全专业人员的日常帮助。那么,不要收起你的工具包;2008年将带来更多的全新的综合性工具来试图了解正在发生什么。当大多数那个领域销售商花费2008给他们产品大脑移植更多类似日志管理时,安全信息和事件管理(SIEM)将继续使人失望。
Many organizations will play around with SaaS, trying to figure out which security management tasks can be done more effectively by someone else. This is a good thing, since internal security groups don't get a lot of leverage from doing things like tuning spam gateways or monitoring IPS logs. But the key is to create an integrated and transparent workflow that gives internal resources the "master" view of what's happening, while effectively sourcing the operational tactics to the most cost-effective provider.
很多组织将致力于“软件即服务”(SaaS), 尝试发现哪一个安全管理任务能被其他什么人更有效地完成。既然内部安全组没有从做像调谐垃圾邮件网关或监视IPS(Intrusion Prevention System , 入侵防御系统)日志这类事情中获得许多影响,那么是一个好事。但是关键是在有效地提供可用的战术给最节省成本的提供者的同时,建立一个完整的、明晰的工作流程给内部资源以“主人公”的观点来了解发生了什么
Compliance is not going away in 2008. I've certainly been hoping that security professionals will focus on security, as opposed to compliance, but ultimately the need to comply with various regulations still drives IT spending and thus is a significant funding source for what infosec pros need to be accomplishment and implement in the coming year.
合规不会在2008年消失。我一直的确希望安全专业人员相对于合规更关注安全,然而最终需要遵守各种规则管理IT开支,在即将到来的一年中,对于信息安全完成和执行工作需要的开支来说,是一个重要的资金来源。
- 信息系统运维预算定额参考标准研究[04-09]
- 第2章 跨文化管理理论和实践[01-14]
- 16:什么是关键成功因素法(CSF)?[06-09]
- 24:eSCM-SP(服务提供商外包能力模型)有哪些…[06-10]
- 第4章 跨文化沟通[01-14]
- 治理评论第一期[01-20]
- 治理评论第二期[01-20]
- 治理评论第五期[01-20]
- 治理评论第三期[01-20]
- 治理评论第六期[01-20]
- 治理评论第四期[01-20]
- 太极凭什么中标12306? [09-26]
- 中国国际航空股份有限公司--书评[11-01]