IT is changing..Again?

In the past few years IT organizations have seen multiple organizational transformations: some have centralized and others have decentralized. So when I heard a senior researcher talk about another transformative organizational change, I had the usual reaction of “yawn” followed by healthy skepticism. What got my attention though were the following three trends and potential implications for CISOs:

1) Business units will bypass IT to directly buy both devices and software. We have already seen examples of these in the social media space where human resources used facebook for recruiting and sales organizations bought 500 salesforce licenses without having discussions with corporate IT and CISOs. This has major implications for CISOs as they loose their traditional listening posts from inside centralized IT and ability to provide prevent risky technology and software from entering the corporate IT infrastructure.

Some CISOs already have lists of approved consumer devices but they should also start including SaaS type applications that could be realistically purchased by the business in that list. Assurance for these applications might involve conducting third party assessments for “future third parties”. NAC’s maybe another technology that CISO’s would consider deploying further to ensure that only approved devices are connecting to the network.

Gamma’s Third Party Assessment Questionnaire
Teleconference on Network Access Control Implementation

2) Data will become more critical than business processes. Rather than providing automation IT organizations will be tasked with providing information and value will be added by linking multiple different sources: from legacy and unstructured sources to help with critical business decisions. With data becoming easily accessible and combined in useful forms there is always danger that the same data could also be combined to reveal individual identity i.e. “date of birth”, zip code, and gender could help you uniquely identify a person.

Risk assessments that currently only focus on applications or even business process will need to be updated to include data and the scope of these assessments will need to double click on contextual data loss risk. Updating and training end users on data classification guides will also become more critical.

DuPont company’s data focused risk assessment

3) IT is embedded in a newly created business services organization. Rather than IT offering end user computing, a new business services organization will be created consisting of corporate functions like Finance, HR, and IT that will offer business service titled “ New Employee Hiring” that includes the human resources (interviewing, hiring, orientation, background…) , information technology (identity management, provisioning, laptop…), and Finance (payroll, bonus….). These are the units of services that business will order rather than the individual components. This calls for high degree of integration between information security both at the IT level and at business level.

This trend while causing angst around org structure and governance may actually help CISOs by providing cross functional perspective on risk. The downside is that IT risks may not receive the same weight and therefore the resources when compared some of the other risks in the enterprise.

Top 10 Enterprise Risks

Shiny objects

We have said it before, and we’ll probably say it again, but Information Security groups would do a lot better to get better at the basics than to worry about each new threat and chase down every new technology that vendors bring along.

• December 28 (The old risk of end-user carelessness is much bigger than all the risks pundits put on their predictions of risks for 2010)
• November 5 (Focus on the nuts and bolts of access control, but don’t succumb to scope creep)
• October 8 (Think about your activities as a maintaining your key controls rather than the fool’s errand of quantifying risk)
• June 10 (Ever-expanding security budgets that accommodate these new technologies may be outpacing residual risk)

A new report says the same thing.

The iPad’s Reminder: Weigh the Risk and Benefit of Consumer Technologies in the Enterprise

Apple’s announcement last week heralding the arrival of the iPad provides a distinct reminder of the challenges information risk organizations must address in the “consumerization” era of IT. With the line between corporate and personal technology rapidly disappearing, CISOs must find the delicate balance between supporting adoption of technologies that improve productivity and managing the accompanying downside risks. Read the rest of this post »

CISOs Keep Breach Costs Lower?

CSO magazine is reporting that the Ponemon Institute has a new study out that finds that “companies that had a CISO (or equivalent title) who managed the data breach incident experienced an average per capita cost of $157 versus $236 for companies without such CISO leadership.”

This would seem to be part of a business case for creating a CISO role.  We’re still working on getting the study, but the implication of this article sounds highly suspect.

Clearly, there are large differences between companies that do and do not have a CISO. These differences are likely most of the reason for the difference in costs, not the presence or absence of a CISO.

Before we get to that, let’s point out the two ways to lower the cost of a breach:

• Lose less information.  Fewer records, fewer fields within the records, etc.
• Respond to the loss more effectively. Shut down an ongoing incident, recover what you can, manage the media, etc.  (IREC members should download our December study on Incident response. Another good if aged resource is NIST 800-61.)

Difference 1: Size. Few large organizations do not have a CISO or equivalent.

• Large organizations tend to have more mature processes and likely respond better to incidents, lessening their costs.
• Large organizations tend to lose more records during a breach.  The “per capita” cost is generally lower in larger breaches.

Difference 2: Culture. Any medium or large organization that does not have a CISO in this day and age clearly has a very limited appreciation for information risk. This drastically different risk culture implies that lots of things are going to go wrong before and after the incident to make things worse. To put this down to the lack of a CISO ignores a much larger problem.

In summary, the presence or absence of a CISO is a proxy for different types of organizations that have different costs of a breach.

CISOs Need to Interpret the China / Google Situation for Their Companies

There is a press firestorm over Google’s announcement that it and other organizations were attacked from within China, and that Google will stop censoring google.cn, even if it means it has to pull out of the country. This feels like an Information Security story, but is it? Does this change anything for CISOs, and if so, what?

Read the rest of this post »

The Increasing Maturity of Cloud Computing Security

We wrote a few weeks ago about a few good guides for thinking about security in the cloud. In that post we mentioned the Cloud Security Alliance. Now they have just released version 2.1 of their guide to security in the cloud.

The Guide is rather lengthy and still has areas in need of improvement, but it is a valuable document that makes great strides over the previous version and signals that as a field we are close to establishing a mature and systematic approach to cloud computing security.

The Guide includes an excellent overview of “the cloud”, clearly describing how to break it down into different service models and different deployment models. At this point it seems we are close to achieving one of the critical steps for cloud security maturity: a consistent and meaningful terminology and taxonomy of activities.

The Guide’s core is 13 domains (areas of focus) that must be attended to regarding cloud security. The list of domains itself is a useful high-level checklist, and the Guide includes for each domain both useful background information and points of security that need to be addressed.

If a criticism is to be made, it seems that each domain is written by a different set of contributors, and unfortunately it shows. The domains vary in style, content, and approach. For example, when treating security guidance, in some cases specific guidance is given, while in other cases the domains are much more generally written. Also, the terminology and organization of domains could be improved. Hopefully the next version will build on the excellent start they have already made, and streamline and organize the document into a concise set of high-level guidance supplemented with detailed specific guidance in an appendix or companion document.

Quite a few IREC members helped contribute to the Guide, and we congratulate them on the way it is progressing.

One More Prediction for 2010, But Are We Going to Heed It?

In our last post we gathered together the pundits’ predictions for 2010, but perhaps predictably (sorry), they seem to be more about a focus on surprise and novelty than actual risk-based predictions. In fact, few of these pundits even mention what is probably the greatest risk of 2010.  Even worse, even those who know what that risk is are not acting strongly enough to manage it. Read the rest of this post »

Top 10 List of Top 10 Lists

It is that time of year when everyone likes to make their predictions for next year.  IREC just released our own list (see the previous post).  We thought it would be fun to round up the security-related prediction lists we could find (many are not actually “top 10″ but some other number).  By gathering them in one place, we can compare and contrast them to see how much agreement there is (not much).  Also, it will make it easy to come back in 12 months and see who was the most accurate!

1. IBM and Sophos
2. Websense
3. Symantec
4. Zscaler
5. Symantec (again)
6. IBM (again)
7. Lee Clemmer
8. Fortinet
9. Mark Weatherford, CISO, State of California
10. Dan Kaminsky (same article as above)

Edited to add 11 and 12: Howard Schmidt, former eBay CISO and vice chairman of the President’s Critical Infrastructure Protection Board, and the folks from ICSA Labs.

A few trends that showed up on several lists:

• Increasing use of social media sites as an attack vector
• Cyber criminals increasingly use “the cloud” as a resource (use it legitimately, not an attack vector)
• MacOS-targeted malware increases, resulting in a stronger  security stance at Apple
• The cloud will be a big security risk. Or it will make things better.  Or something.

Edited to add a new common trend: Windows 7 will contain security flaws.

I don’t think it’s a knock on Microsoft to say that predicting that software as complex and multifaceted as Windows 7 will have security flaws is about as useful as predicting that the sun will come up tomorrow.

Edited to add 13: another 10 from Verizon Business’ Security Blog. Two of their predictions are in direct opposition to the trends we pulled from the other lists. They believe Win7 will be surprisingly robust, and that Macs will not be a special target of attacks.

Howard Schmidt, former eBay CISO and vice chairman of the President’s Critical Infrastructure Protection Board, and the folks from ICSA Labs

10 Information Risk Imperatives for 2010

The  2010 information risk landscape will be defined by continued uncertainty in the broader business environment and the ongoing evolution of enterprise boundaries.  Organizations that effectively manage the downside risks to information in this environment will be well positioned to take advantage of the new opportunities that such an environment brings.

IREC has just published our 10 imperatives for 2010 that CISOs should consider in advance of the new year.  In particular, CISOs should be prepared for structural changes on four fronts:

1. IT Architecture – More widespread adoption of cloud computing technologies will mean that IT infrastructure and data increasingly reside outside of traditional enterprise boundaries, beyond the direct control of the IT and Information Risk teams.
2. IT Innovation – The ease of adoption associated with social media technologies, Windows 7 (which most organizations will be using by 2011), and other user-developed applications platforms means that business users, not IT, will be driving some of the most visible and potentially risky changes in IT.
3. Risk Ownership – New regulations on the horizon and a board-level focus on cross-functional partnerships dedicated to risk management means CISOs will be called upon to share risk ownership with an increasing number of partners.
4. Geographic Diversification – With limited growth forecast for OECD economies in 2010, many enterprises will be shifting emphasis into higher-growth but less familiar emerging markets, potentially requiring additional risk assessment and bespoke mitigation solutions.

After the jump, I’ve included the full list.  If your company’s not a member of the Council but you’re interested in more details, shoot me an e-mail at gyoung (at) executiveboard (dot) com.

What trends did we leave out?  What trends are most important to you?

Read the rest of this post »

IREC in Wall Street Journal article about email monitoring

Quoted as “The Corporate Executive Board”, we supplied some commentary and data for an article in the European edition of the Wall Street Journal.  The article is not available online, but it appeared on page 31 of the November 24 issue. (It is similar to the article “Some Courts Raise Bar on Reading Employee Email” from the US edition, but focuses on EU/UK issues.) We’d like to take advantage of the extra space available here to clarify our main points and provide additional data to those cited in the article.

Read the rest of this post »