Handy Resources for Responding to WSJ-Inspired Questions

Fortunately the three articles in today’s WSJ on IT Security are a lot less troublesome than those of two years ago. Nevertheless, it is a good idea to be ready to respond to questions coming out of the articles from senior executives and managers in your organization. The elevator pitch is probably,

Yes, we are well aware of these threats and have protections in place against them. I am concerned about <Vulnerability X> and I’d like to implement <Security Investment Y> to address that and reduce the risk of <Business Impact>. Can we talk about that next week?

With that in mind, here are some facts and resources that will be helpful to have handy. The articles have titles that address sources of threats, but go on to address a wide variety of related risks.  I’ll try to organize this post a little more consistently rather than respond to each article point by point.

Insider Threat

How big a risk is it, really? The article starts off repeating the conventional wisdom that insiders are responsible for the vast majority of breach risk. This article may be good news for CISOs, as it will give them some extra attention during budget time, but we take issue with some of the problems and solutions described in the article.

The real story about the risk is a little more nuanced. The 2009 Verizon Data Breach Report indicates that insiders are maybe a bit less of a risk than outsiders, something that is echoed in other studies. One problem with these statistics is the various breach sources (“Insider Malicious”, “Insider Non-malicious”, etc.) are not consistent across studies. The breach sources need to be clearly identified, not to get the numbers exactly right, but because we will respond to each source in a different way. Council members should access our research on the leading indicators of insider misconduct.

Data from our sister program The Compliance and Ethics Leadership Council confirm that employee morale is low and that misconduct is on the increase.


However, business information violations seem to be on the decrease–Information Security is working!


Mobile Devices and Social Media

Oddly, the business risks discussed in the social media article don’t really belong to IT security but rather to HR, corporate communications, or the brand managers. Nevertheless, social media, mobile devices, and “IT consumerization” are big issues for Information Security. Council members should be well prepared to deal with questions on this topic since we have been working on it for two years now. New or improved technologies are enabling the secure use of smart phones, laptops, and internal collaboration tools. For example, encrypting laptops reduces the cost of loss from the over $100K quoted in the article to just a few thousand dollars. Most of our members have encrypted laptops and almost half have the encryption technically enforced (click for larger):


What to do about these threats?

  • Encryption The Insider Threat article is misleading since encryption doesn’t do much against the malicious insider, as they usually take information they have access to. However, encryption is still a  no-brainer for mobile devices–especially laptops–as protection against accidental loss, and it also protects against external threats. In our recent analysis of  the risk reduction afforded by various controls, encryption was roughly average in benefit. Seeing as it tends toward the cheaper side, it is a good investment. Contact us for information on the management challenges of deploying encryption or data on adoption of various approaches.
  • Data Leakage Protection Technology is hardly the panacea implied by the article (nor is it even a clearly delineated technology). IREC members report many implementation challenges, including:
    • running afoul of privacy regulations outside of the US
    • false positive rates that swamp the real hits
    • an inability to follow up on the huge volume of even real hits–many of which are innocuous
    • slowing legitimate business activities
    • a fear of liability once you “know” about non-compliant activity but fail to act on it.

Members may access our research on how to scope a DLP project and other factors to drive its success.

  • Awareness is a powerful, multi-valent control that addresses all of the breach sources, especially the “insider non-malicious” source. ISO control objective 8.2, which covers awareness, was the 5th best control of the 41 control objectives we studied, and again is one of the cheaper controls available to the Information Security team. Just be sure you understand what actually works to change user behavior.
  • Cyberinsurance may make sense for businesses whose biggest information risks can be transferred in this way, but that does not apply to anyone who traffics in intellectual property or relies on their reputation with customers. Few IREC members have cyberinsurance. Of course this special advertising section is sponsored by insurer Zurich.
Explore posts in the same categories: Awareness, Communication, Information Risk Governance, Insider Threat

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: