Archive for September 2009

Handy Resources for Responding to WSJ-Inspired Questions

September 23, 2009

Fortunately the three articles in today’s WSJ on IT Security are a lot less troublesome than those of two years ago. Nevertheless, it is a good idea to be ready to respond to questions coming out of the articles from senior executives and managers in your organization. The elevator pitch is probably,

Yes, we are well aware of these threats and have protections in place against them. I am concerned about <Vulnerability X> and I’d like to implement <Security Investment Y> to address that and reduce the risk of <Business Impact>. Can we talk about that next week?

With that in mind, here are some facts and resources that will be helpful to have handy. The articles have titles that address sources of threats, but go on to address a wide variety of related risks.  I’ll try to organize this post a little more consistently rather than respond to each article point by point. (more…)


The WSJ’s ‘IT Security’ Section

September 23, 2009

Today’s Wall Street Journal contains a special advertising section called “IT Security” paid for by the Risk and Insurance Management Society.  The two-page section doesn’t seem to be available online, but it’s fairly prominent in the print edition on pages A19 and A20.

The three articles focus on insider threat, mobile device security, and social media, but contain little that will surprise anyone who has been paying attention to the information risk landscape.  That said, several data points cited in the articles might catch the attention of your senior executives.  Here are the highlights:

Insider Threat:
Privileged insiders pose a greater threat to organizations because of their access and knowledge of how systems work.  The article cites several anecdotes to suggest this threat vector is increasing.
Key ideas/data:

  • Only one-third of data breaches attributed to insiders are unintentional in nature.
  • Data Loss Prevention tools can “identify, monitor, and protect data, alerting network administrators when select information is being e-mailed” and subsequently prevent that traffic.
  • Cyber insurance can be purchased to offset the risk of a data breach.

Mobile Security:
Lost laptops and other mobile devices can be costly and it’s important to track and secure the devices to reduce the risk.
Key ideas/data:

  • The cost of a lost laptop ranges from $8,950 to $115,849 depending on how quickly it is identified as missing. (Source: Ponemon Institute)
  • Nearly one-third of companies don’t know how many laptops were missing or stolen in 2008.

Social Media:
The rapid growth of social media tools is having an impact on businesses across the globe.  Viral videos and social networks can have both negative and positive impacts.
Key ideas/data:

  • Firms should have social media policies in place to limit the risks associated with company employees posting information to the internet.
  • “Listening” tools can gauge how (e.g. tone) and where a firm is being discussed on the Internet.

If I find a link to the material online, I’ll post it.  We’ll be back later today with a more detailed reaction and the IREC perspective.  In the meantime, Council members can check out a few of our recent resources:

Insider Threat: Managing the Threat from Malicious Insiders
Data Loss Prevention: Preventing Data Leakage
Social Media: Social media Policy Builder, Sample Corporate Social Media Policies

Confirmed: Wednesday is Security Day

September 21, 2009

Yesterday we alerted you to the coming article in the WSJ. We have now confirmed that there will be a special section called “IT Security” in Wednesday’s issue. Topics will include:

(Topic links are to IREC research in each area.  Sorry, for Council members only.)

Your CEO is going to yell at you this week

September 20, 2009

Just over 2 years ago the Wall Street Journal published an article “Ten Things Your IT Department Won’t Tell You”, which was basically a guide to circumventing security procedures, and making security look stupid in the process.  We’re confident anyone who was working in information security back then remembers the day this article came out, since they probably found out about it from an angry call from their boss.

We are unable to confirm it from a search of their web site, but sources tell us that WSJ will be publishing a special section on information security this week, so get ready to answer some potentially awkward questions.

For example, is your social media strategy ready yet?

Anyone with further information please get in touch.

We have confirmed that this section is coming out on Wednesday.

Good Reading in Information Risk

September 17, 2009

There is no end to blog posts and news stories about the latest new technology threat or complaints about how the business just doesn’t “get it” about information risk. Unfortunately there are not so many good reads out there for people who like to think strategically about information risk. Here is a short list of good information–let us know what you have found in the comment section.

1: The RSA Innovation site recently released the fourth in their series of reports based on discussions with 10 large company CISOs (the “Security for Business Innovation Council”, most of whom are friends of IREC). These are really thoughtful pieces and well worth the read.  (We’re still trying to figure out where the photographic themes come from though!) The reports are a little hard to find there, so some deep linking:

2: Verizon Business’ data breach reports. For years IREC members have been asking us to collect incident data as a start to make credible estimates of risk based on real outcomes. Of course the problem with this is that few organizations are willing to share incident information. Verizon Business has a special position as a solutions provider to a large number of companies that gives them deep access to incident data, and they have been kind enough to analyze and publish the information for everyone’s benefit.

3: Intel’s Communities / IT@Intel site has tons of blogs on a variety of subjects. You can cross search them for security topics and find a lot of good stuff. Here are two especially good posts:

4: A couple of books recommended to us by members (links go to Amazon):

What are you reading?

Obama lends CISOs a helping hand?

September 11, 2009

 This week Obama gave a warning to kids about their social media activities. I’d like spend some space here to analyze how effective this might be.

My first reaction to was this was “great!”. Oganizations–or more typically people in their organizations–are diving into social media use.  But, as we describe in this week’s Business Week, organizations lack governance and policies around social media. One thing our member CISOs have been working hard on over the last year is user educuation on appropriate use of social media. Any attention is a good thing, and this will likely get some play in the media.

Then I thought about our research into how security awareness messages change user behavior. We analyzed the differential effect of communications depending on the source of the message–manager, colleage, etc. We can probably draw a rough parallel between these corporate positions and people in a kid’s life:

  • Direct Manager = Parent
  • Colleague = Friend
  • CEO = Obama
  • Information Security = ???  Maybe a nerdy teacher at school?

With this, maybe it’s worth a moment to extrapolate from the data we have. Here’s a graph of the relative* effectiveness of these sources:

communication source

So, as we probably already knew, it is likely best for parents to talk to their kids about this subject, but the President’s message should be pretty effective.

* (Maximum Impact is actually an absolute measure, but a bit involved to explain here. Contact us if you would like more information.)

Security budgets to remain flat in 2010

September 10, 2009

I’m back after a brief hiatus with a summary of the findings from our annual budget survey.

IREC conducts an annual budget survey of its membership in the June – August timeframe. We just wrapped up data analysis on the 2009-2010 survey that ~80 CISOs provided data for. I wanted to share some of the preliminary findings with you all. Here are the Top 5 findings:

1. Budgets to remain flat going into 2010: The average organization will spend 3.5% of the IT budget on information security in FY2010. This is down from 3.8% for FY2009, but not a statistically meaningful difference. We also look at Information Security on a per-employee basis. This number has jumped from USD622 in 2009 to USD677 in 2010. This is a corollary effect of layoffs that has resulted in a smaller employee base.
2. Personnel spending forms the bulk of the CISO’s budget: 47% of the security budget goes towards personnel (staff salaries). The next big chunk is capitalized technology expenses (18%). Outsourced security services and consulting spend accounts for another 16%.
3. Staffing remains flat with some pockets of big hiring: On average, the CISO’s organization expects to have 40 in-house staff in 2010 (we are not counting contractors and staff that might be working on security initiatives but do not belong to the CISO’s budget). This is up from an average of 38 in 2009. Much of this jump is attributed to a handful of companies that are projecting 20%+ staff increases.
4. On certifications and frameworks, CISSP and ISO lead: 49% of security staff carry atleast one certification, primarily CISSP. 73% of organizations use ISO 27001 as their security framework. ISO 27002 is slowly catching on. However not many are pursuing or planning to pursue ISO certifications. Just about 7% have some part of their organization ISO certified and 75% report no plans to pursue certification.
5. CISOs are playing a larger role in BCP, e-discovery and data privacy: While things seem to have settled down from a scope and reporting perspective, CISOs’ portfolio of responsibilities seem to be expanding. 66% claim primary or shared ownership for BCP, 82% for e-discovery and 91% for data privacy. This is a huge jump from years past.

Once we complete our full analysis, I will update the post and add more details – in areas such as technology adoption trends, threat trends and security governance. Ciao for now!

PS: Check out this article in Business Week on social media adoption that IREC co-authored with our sister programs at the Corporate Executive Board! We will also be hosting a webinar on “Security Implications of Social Media” on October 15th.