As its executive director, W. Hord Tipton may run the show at nonprofit (ISC)2, which manages the security industry's flagship certification - the CISSP - but he knows no credential can serve as a silver bullet. "I once had a CIO at a major [federal government] department ask me how many CISSPs does he need to have to guarantee perfect security," recalls Tipton, 68, the former CIO of the U.S. Department of Interior. "The answer, of course, is, 'It's not possible.' Even if you have the perfect person in place, and they write you the perfect policy and configure your systems perfectly, but you don't have compliance with those policies, there isn't a single thing your security person can do." Human error remains the Achilles' heel of most security operations. An organization can have all of its ducks in a row, but if an employee decides to click on an email attachment claiming to be a work-related document, but which actually turns out to be a trojan for which there is no detection, the most knowledgeable security pro in the world may not be able to save its network from compromise.
展开▼
