IREC in Wall Street Journal article about email monitoring

Quoted as “The Corporate Executive Board”, we supplied some commentary and data for an article in the European edition of the Wall Street Journal.  The article is not available online, but it appeared on page 31 of the November 24 issue. (It is similar to the article “Some Courts Raise Bar on Reading Employee Email” from the US edition, but focuses on EU/UK issues.) We’d like to take advantage of the extra space available here to clarify our main points and provide additional data to those cited in the article.

Read the rest of this post »

Assessing the risk of cloud computing

The European Network and Information Security Agency (ENISA) has a new report out:  “Cloud Computing: Benefits, risks, and recommendations for information security”. This report does  a good job of laying out definitions of “the cloud”, including breaking it down into more meaningful services (SaaS, PaaS, and IaaS), and walking through how to think about the risks rather than just whipping up a bunch of horror stories.  Some of the nice attributes of the study include:

• identification of the top risks of cloud computing in general
• clear, detailed walk through of the risk assessment process that an organization should follow to assess its own risks, with several examples
• balances consideration of the risk of not using the cloud

The study is also notable as a good example of how to perform and present an ISO 27005 risk assessment.

A few other good resources for thinking about the risk of cloud computing:

• RSA white paper “The Role of Security in Trustworthy Cloud Computing”
• The Cloud Security Alliance is gather major players under its umbrella
• The Jericho Forum’s Cloud Cube Model
• A couple of articles, especially the first one, in PWC’s summer technology forecast.

 

How much access control technology is enough?

I recently attended a meeting with a group of leading CIOs of U.S. Federal Government agencies, all of whom are working to meet a presidential mandate (HSPD 12) to integrate high-tech Personal Identity Verification cards into their access control systems.  Some level of activity is of course required for compliance—there’s a “just do it” attitude that has to apply in some way. The more surprising conversation for me was a mentality that would be familiar to anyone who has ever remodeled a house: “while we’re in there, let’s also fix that…”. These CIOs were very interested to know how much effort to improve access control beyond mere compliance is worthwhile from a cost/benefit perspective.

IREC’s research efforts on access management and assessing the relative value of control investments shed some light on the question of how much technology is enough.

Read the rest of this post »

Is risk management getting too ‘mechanized’?

I was at a recent meeting we hosted for leading South African CISOs in Johannesburg. We were discussing the pros and cons of risk quantification models when one of the participants said: “I worry that attempting to quantify risks is leading us to ignore sound judgment as a decision-making tool. We believe more in the number that the system spits out rather than the instinct and advice of individuals who understand the terrain and the business context.”

Quantifying information risk and producing a single number for residual risk levels at a company is considered the holy grail for information risk professionals worldwide. It is considered an essential tool to systematize the ever-changing world of information risks. This CISO was arguing for “a return of judgment” in risk decision-making.

Interestingly enough, the latest (October 2009) issue of the Harvard Business Review (login required) makes a similar argument in its ‘Spotlight on Risk’ Issue. In an article titled “The Six Mistakes Executive Make in Risk Management”, the authors argue that
“Instead of trying to anticipate low-probability, high-impact events, we should reduce our vulnerability to them. Risk management, we believe, should be about lessening the impact of what we don’t understand – not a futile attempt to develop sophisticated techniques and stories that perpetuate our illusions of being able to understand and predict the social and economic environment.”

The fundamental questions that Information Risk professionals need to answer are:
- Where and how do quantification models help?
- How can use them to supplement sound judgment (and not substitute for it)?
- How can we help our team members get a better understanding of the business context they operate in to help them make the right decisions?

In IREC, we have taken the view that CISOs have a better shot at understanding their controls environment and plug obvious gaps in their controls portfolio than invest time and effort in building out sophisticated risk models. In other words, how do we reduce our vulnerability to high impact events by strengthening our controls.

Some would say that it is only pragmatic given that most companies don’t have good actuarial data on threats, loss events and the like. Others would consider it is heretical that Information Risk professionals are calling into question the very need for risk quantification. What is your view?

Happy National Cybersecurity Awareness Month!!

October is National Cybersecurity Awareness Month in the US (read the full White House press release here)

Excerpting from the press release, President Obama says : “I call upon the people of the United States to recognize the importance of cybersecurity and to observe this month with appropriate activities, events, and trainings to enhance our national security and resilience.”

Looks like CISOs are jumping on the bandwagon too by leveraging the press/buzz this receives to drive security awareness at their respective organizations. From a recent thread in one of IREC’s discussion forums, we heard a variety of events CISOs are planning at their companies:
- Declaring a “Cybersecurity Day’ in October featuring an external expert speaker
- Interviews with company leaders on importance of cyber/information security that will be broadcast globally
- Tentcards in cafeterias and Cybersecurity awareness bookmarks
- Encouraging employees to complete the online security training module in October

In the age of information overload and flat budgets (the average company spends 2% of its security budget on employee awareness and training), it is very hard to get employees’ attention to matters such as secure behavior. I’m glad that the US Government drawing attention to this matter will provide a much-needed ‘hook’ for CISOs to draw attention to security in their companies.

Handy Resources for Responding to WSJ-Inspired Questions

Fortunately the three articles in today’s WSJ on IT Security are a lot less troublesome than those of two years ago. Nevertheless, it is a good idea to be ready to respond to questions coming out of the articles from senior executives and managers in your organization. The elevator pitch is probably,

Yes, we are well aware of these threats and have protections in place against them. I am concerned about <Vulnerability X> and I’d like to implement <Security Investment Y> to address that and reduce the risk of <Business Impact>. Can we talk about that next week?

With that in mind, here are some facts and resources that will be helpful to have handy. The articles have titles that address sources of threats, but go on to address a wide variety of related risks.  I’ll try to organize this post a little more consistently rather than respond to each article point by point. Read the rest of this post »

The WSJ’s ‘IT Security’ Section

Today’s Wall Street Journal contains a special advertising section called “IT Security” paid for by the Risk and Insurance Management Society.  The two-page section doesn’t seem to be available online, but it’s fairly prominent in the print edition on pages A19 and A20.

The three articles focus on insider threat, mobile device security, and social media, but contain little that will surprise anyone who has been paying attention to the information risk landscape.  That said, several data points cited in the articles might catch the attention of your senior executives.  Here are the highlights:

Insider Threat:
Privileged insiders pose a greater threat to organizations because of their access and knowledge of how systems work.  The article cites several anecdotes to suggest this threat vector is increasing.
Key ideas/data:

• Only one-third of data breaches attributed to insiders are unintentional in nature.
• Data Loss Prevention tools can “identify, monitor, and protect data, alerting network administrators when select information is being e-mailed” and subsequently prevent that traffic.
• Cyber insurance can be purchased to offset the risk of a data breach.

Mobile Security:
Lost laptops and other mobile devices can be costly and it’s important to track and secure the devices to reduce the risk.
Key ideas/data:

• The cost of a lost laptop ranges from $8,950 to $115,849 depending on how quickly it is identified as missing. (Source: Ponemon Institute)
• Nearly one-third of companies don’t know how many laptops were missing or stolen in 2008.

Social Media:
The rapid growth of social media tools is having an impact on businesses across the globe.  Viral videos and social networks can have both negative and positive impacts.
Key ideas/data:

• Firms should have social media policies in place to limit the risks associated with company employees posting information to the internet.
• “Listening” tools can gauge how (e.g. tone) and where a firm is being discussed on the Internet.

If I find a link to the material online, I’ll post it.  We’ll be back later today with a more detailed reaction and the IREC perspective.  In the meantime, Council members can check out a few of our recent resources:

Insider Threat: Managing the Threat from Malicious Insiders
Data Loss Prevention: Preventing Data Leakage
Social Media: Social media Policy Builder, Sample Corporate Social Media Policies

Confirmed: Wednesday is Security Day

Yesterday we alerted you to the coming article in the WSJ. We have now confirmed that there will be a special section called “IT Security” in Wednesday’s issue. Topics will include:

• The “insider threat”
• Social media
• Mobile devices

(Topic links are to IREC research in each area.  Sorry, for Council members only.)

Your CEO is going to yell at you this week

Just over 2 years ago the Wall Street Journal published an article “Ten Things Your IT Department Won’t Tell You”, which was basically a guide to circumventing security procedures, and making security look stupid in the process.  We’re confident anyone who was working in information security back then remembers the day this article came out, since they probably found out about it from an angry call from their boss.

We are unable to confirm it from a search of their web site, but sources tell us that WSJ will be publishing a special section on information security this week, so get ready to answer some potentially awkward questions.

For example, is your social media strategy ready yet?

Anyone with further information please get in touch.

We have confirmed that this section is coming out on Wednesday.

Good Reading in Information Risk

There is no end to blog posts and news stories about the latest new technology threat or complaints about how the business just doesn’t “get it” about information risk. Unfortunately there are not so many good reads out there for people who like to think strategically about information risk. Here is a short list of good information–let us know what you have found in the comment section.

1: The RSA Innovation site recently released the fourth in their series of reports based on discussions with 10 large company CISOs (the “Security for Business Innovation Council”, most of whom are friends of IREC). These are really thoughtful pieces and well worth the read.  (We’re still trying to figure out where the photographic themes come from though!) The reports are a little hard to find there, so some deep linking:

• The Time is Now: Making Information Security Strategic to Business Innovation
• Mastering the Risk/Reward Equation: Optimizing Information Risks to Maximize Business Innovation Rewards
• Driving Fast and Forward: Managing Information Security for Strategic Advantage in a Tough Economy
• Charting the Path: Enabling the ‘Hyper-Extended’ Enterprise in the Face of Unprecedented Risk

2: Verizon Business’ data breach reports. For years IREC members have been asking us to collect incident data as a start to make credible estimates of risk based on real outcomes. Of course the problem with this is that few organizations are willing to share incident information. Verizon Business has a special position as a solutions provider to a large number of companies that gives them deep access to incident data, and they have been kind enough to analyze and publish the information for everyone’s benefit.

• 2009
• 2008

3: Intel’s Communities / IT@Intel site has tons of blogs on a variety of subjects. You can cross search them for security topics and find a lot of good stuff. Here are two especially good posts:

• How to prioritize security efforts (or how to measure value as the post describes it)
• Metrics are only useful if they drive decisions

4: A couple of books recommended to us by members (links go to Amazon):

• IT Risk
• Security Metrics: Replacing Fear, Uncertainty, and Doubt

What are you reading?