Avoiding the Complexity of IT SecurityJohn Stewart, Chief Security Officer, Cisco
John Stewart, chief security officer at network provider Cisco, says too many organizations develop IT security policies that are more complex than they need to be.
See Also: 2016 State of Threat Intelligence Study
Stewart says in a video interview with Information Security Media Group that the fundamental questions security professionals should ask are: 1) is the information protected and 2) are the protections provided the right ones?
The Cisco senior vice president says too many organizations codify security policies in very complex documents that nobody reads or they create huge pieces of documentation that when posted everyone clicks on but no one pays attention to.
"And then," he says, "when things go wrong, we all find ourselves horrified that they happen and went wrong. At the same time, we're asking people to just do their jobs. If you keep it simpler, this is my observation, it's a heck of a lot easier to enforce it."
In the interview, Stewart also:
- Answers the question he posed to security professionals in a recent blog: Are we as IT practitioners better off now than we were four or five years ago?
- Addresses the need for government and businesses to collaborate on IT security.
- Explains why harsher penalties are needed against those that pilfer data from IT systems.
Throughout Stewart's quarter-century career, he has been an active member in the broad security industry, leading or participating in security efforts ranging from elementary school IT design to national security programs. Stewart sits on technical advisory boards for Panorama Capital and RedSeal Networks, and is on the board of directors for KoolSpan, Fixmo, and the National Cyber-Forensics Training Alliance.
Stewart also serves on the Council of Experts for the Global Cybersecurity Center and the Cybersecurity Think Tank at University of Maryland University College. He has served on the Commission on Cybersecurity for the 44th Presidency, which offered a cybersecurity agenda in 2009 to then President-elect Obama.