Archive for May 2009

Google Wave will be here…shortly!

May 29, 2009

Google recently previewed Google Wave, its next-generation, unified communication platform set to launch later this year. In Google’s words, “Google Wave is a new model for communication and collaboration on the web.” It combines features of IM, email, wikis, web chat, social networking, and project management in a single browser-based communication client.

What seems to set Google Wave apart are the following features:

Real-time: You can see what someone else is typing, character-by-character

Embeddability: Waves can be embedded on any site or part of a site

Drag-and-drop file sharing: Instead of attaching files, users can just drop a file into a wave and make it accessible to all

And of course, it is all open source and developers can build extensions and apps for the Wave.

Google Wave comes with its own terminology – Embeds, Robots, Gadgets etc. It is billed as the ultimate real-time collaboration tool.

According to our sister program, the Infrastructure Executive Council, most enterprises are seeking to roll-out collaboration technologies – it won’t be a stretch to imagine that end-users will be clamoring for Google Wave in the enterprise. It would be well worth it for security professionals to spend some time assessing the proposed features and have a point of view before Google Wave (and other such unified collaboration platforms) go live!

Ben Parr’s article provides a good overview of Google Wave and its features.

Coming to Consensus

May 27, 2009

The security function has a reputation—not wholly undeserved—of a “security at any cost” mindset. We have all been trying to move away from that and start to “manage risks”. This means perform risk assessments and address those risks where the cost of addressing them makes sense given your risk tolerance.

However, there seems to a new movement afoot in the information security space, and it feels to me like it is a move away from risk management. (more…)

Third-party risk management: Time for an overhaul?

May 26, 2009

There is an interesting risk trend that recently caught my eye – in the past six months, CFOs, Auditors, Procurement and Supply Chain execs have all rated ‘third party risk’ as their key focus area. Looks like this is the first time in several years that third-party risk (and risk management) have risen to a Top 5 issue for Boards. Each of these executives have slightly different reasons for focusing on third-parties – but the underlying theme is increased concern over supplier solvency and its corollary implications for product quality, supply chain disruptions, focus on safety and regulatory compliance.

CISOs have been ahead of the curve in signaling the importance of effective third-party risk management – primarily driven by concern over sensitive information that a third-party might have access to. Most security organizations have made great strides in developing good third-party programs as well. However, if you look at third-party risk management writ large, most companies have a silo-ed approach, where not surprisingly the silos don’t interact from a risk standpoint. We have CISOs looking at risk of data breaches originated by third-parties, Legal and Vendor Management look at contractual risks and potentially solvency risks and Supply Chain folks worry about continuity/disruption risks. Very few organizations, if any, can summon up an overall risk picture of a third-party to make portfolio-level decisions.

There are three potential implications for CISOs:
– very tactically, this is an opportunity to establish closer coordination and exchange of information among the different groups. The data you gather might help CISOs prioritize third-parties better or watch out for signals that would otherwise be ignored.
– this could be an opportunity for CISOs to take on third-party risk management activities that go beyond its traditional scope. For instance, how difficult would it be to incorporate indicators of financial viability/solvency into the current assessment framework? We already see some organizations going down this route. Not only would this win friends for the CISO, but it would help make a case for more resources for third-party risk management – something CISOs have been clamoring for for years
– finally, there is the potential to develop a unified framework and centralized ownership of third-party management (with risk management being part of it): think of it as a group with experts in multiple disciplines with responsibility to assessing all kinds of risks related to the company’s supplier/partner base. While the CISO might relinquish a key area of responsibility, maybe they can sleep better knowing the risk is being taken care of by capable hands. The real difficulty in implementing such a model lies in figuring out ownership and decision rights – given agency conflicts and silo-ed view points. There is also the real question of competency to be able to assess several different risk areas.

Whatever the medium- or long-term scenario be, it would be wise for CISOs to adapt their frameworks to take notice of higher-order supplier risk issues or atleast proactively start sharing information with their peers. However, we don’t see any third-party frameworks  going down this path and broadening the scope of a traditional security assessment of third-parties. Prudent approach or lost opportunity?

Getting ready for the next round of web focused smart phones

May 19, 2009

Two years ago Apple introduced the iPhone and initially most IT Security organizations were caught off-guard. I remember talking to several CISOs and most of them said that they would just ban the iPhone. Well, it is now two years later and I think most CISOs out there would agree that that was not really an option – especially not since the phone quickly became a CEO toy. What happened back then I think could be described as a big underestimation of the adoption of the iPhone and what this would mean for corporate IT and corporate IT Security group.

We are now less than a month away from Palm introducing its iPhone competitor the Pre, and we are likely a month away from Apple announcing its third generation of the iPhone. While the Pre might not beat the iPhone’s excitement levels or adoption numbers it could do so, especially judging by the good reviews it is getting so far.

This makes me wonder if CISOs have looked at what widespread adoption of the Pre would mean for their organizations. Have CISOs together with their IT peers talked to Palm about integration of the new device into corporate infrastructure, or how the devices can be secured? If not, what are the plans for corporate IT shops come early June, when maybe hundreds of employees find ways to connect their Pre to the corporate email network.

Let us know what your plans are.

PCI Backslides?

May 18, 2009

Ever since the Payment Card Industry Data Security Standard was released, affected Council members have struggled to implement all the facets of this detailed and prescriptive standard. PCI has recently released a detailed prioritization for the elements within their standard.  While they have many disclaimers that you still must comply with everything in the standard, does the existence this tool not acknowledge that many organizations subject to PCI will remain not fully compliant for significant periods of time?

 https://www.pcisecuritystandards.org/education/prioritized.shtml

Software audits: an emerging trend?

May 15, 2009

With the economy bottoming out, members have reported a rise in software audits. 5-6 members that I have talked with report that they have been audited three times in past three quarters while prior to that they had never been audited before. While researching this issue I found two data points that point to this issue gaining prominence:

  • According to FAST, The Federation Against Software Theft audits among members were up 20% as reported in Computer Weekly and CNET.
  • According to our sister council the Infrastructure Executive Council, head of infrastructure are focused on getting a handle on asset management including software licensing to help them cut costs.

 Is this a short lived trend as software companies face a global slow down in revenue or is this a sign of things to come? Don’t get me wrong software piracy is a problem that needs to be tackled but would software vendors continue these audits when this may ultimately hurt their relationships with their customers? To me this appears a trend that will change with the economy. So as the economy improves vendors will focus on revenue growth rather than software audits.

I have also faced another question: Is this truly a CISO responsibility? Who is responsible for keeping and managing software audit in the company: Buying the licenses should be handled through procurement, and installing/tracking them should fall under infrastructure. While I agree with those two points, CISO’s are also responsible for this issue because maintaining compliance to contractual obligations is part of their compliance responsibilities. In any case,  CISOs should raise the flag in their organization and start thinking about following questions:

  • Whose job is inventorying software use in the organization?
  • Whose job is responding to software audits?
  • Is this a temporary situation we can brute force our way through, or do we need to get systematic about answering these?
  • Do we have relief in our contracts from these audits?
  • Does the cost of responding to audits shift the balance in favor of open source or SaaS?
  • Does virtualization further complicate this process? How do you keep track of this for software license purposes? “sampling” or continuous monitoring?
  •  Do you need to rethink the way you pay (i.e. is your payment prorated to the amount of time it is in use (good) or do you pay per installation (bad)?

Tackling Risk at the Line – The Separation of Awareness and Control Effectiveness

May 12, 2009

IREC’s sister Council, Investor Relations Roundtable, reports an interesting new trend in thinking about business units’ overall business risk levels. To encourage risk vigilance without fostering risk aversion, a few leading organizations now separately evaluate risk awareness and risk control effectiveness as part of their risk audit processes. Separating risk scores into awareness and control effectiveness ensures that the line is not punished for identifying risk weaknesses, rather the line is rewarded through a higher awareness score.

Progressive CISOs measure business units’ residual information risk levels to keep managers in line and promote healthy competition to keep information risks at appropriate levels. It is worth considering breaking out measurements of information risk and control effectiveness to avoid incenting managers to under-report or otherwise hide their information risk levels.