Archive for January 2010

CISOs Keep Breach Costs Lower?

January 26, 2010

CSO magazine is reporting that the Ponemon Institute has a new study out that finds that “companies that had a CISO (or equivalent title) who managed the data breach incident experienced an average per capita cost of $157 versus $236 for companies without such CISO leadership.”

This would seem to be part of a business case for creating a CISO role.  We’re still working on getting the study, but the implication of this article sounds highly suspect.

Clearly, there are large differences between companies that do and do not have a CISO. These differences are likely most of the reason for the difference in costs, not the presence or absence of a CISO.

Before we get to that, let’s point out the two ways to lower the cost of a breach:

  • Lose less information.  Fewer records, fewer fields within the records, etc.
  • Respond to the loss more effectively. Shut down an ongoing incident, recover what you can, manage the media, etc.  (IREC members should download our December study on Incident response. Another good if aged resource is NIST 800-61.)

Difference 1: Size. Few large organizations do not have a CISO or equivalent.

  • Large organizations tend to have more mature processes and likely respond better to incidents, lessening their costs.
  • Large organizations tend to lose more records during a breach.  The “per capita” cost is generally lower in larger breaches.

Difference 2: Culture. Any medium or large organization that does not have a CISO in this day and age clearly has a very limited appreciation for information risk. This drastically different risk culture implies that lots of things are going to go wrong before and after the incident to make things worse. To put this down to the lack of a CISO ignores a much larger problem.

In summary, the presence or absence of a CISO is a proxy for different types of organizations that have different costs of a breach.


CISOs Need to Interpret the China / Google Situation for Their Companies

January 21, 2010

There is a press firestorm over Google’s announcement that it and other organizations were attacked from within China, and that Google will stop censoring, even if it means it has to pull out of the country. This feels like an Information Security story, but is it? Does this change anything for CISOs, and if so, what?


The Increasing Maturity of Cloud Computing Security

January 4, 2010

We wrote a few weeks ago about a few good guides for thinking about security in the cloud. In that post we mentioned the Cloud Security Alliance. Now they have just released version 2.1 of their guide to security in the cloud.

The Guide is rather lengthy and still has areas in need of improvement, but it is a valuable document that makes great strides over the previous version and signals that as a field we are close to establishing a mature and systematic approach to cloud computing security.

The Guide includes an excellent overview of “the cloud”, clearly describing how to break it down into different service models and different deployment models. At this point it seems we are close to achieving one of the critical steps for cloud security maturity: a consistent and meaningful terminology and taxonomy of activities.

The Guide’s core is 13 domains (areas of focus) that must be attended to regarding cloud security. The list of domains itself is a useful high-level checklist, and the Guide includes for each domain both useful background information and points of security that need to be addressed.

If a criticism is to be made, it seems that each domain is written by a different set of contributors, and unfortunately it shows. The domains vary in style, content, and approach. For example, when treating security guidance, in some cases specific guidance is given, while in other cases the domains are much more generally written. Also, the terminology and organization of domains could be improved. Hopefully the next version will build on the excellent start they have already made, and streamline and organize the document into a concise set of high-level guidance supplemented with detailed specific guidance in an appendix or companion document.

Quite a few IREC members helped contribute to the Guide, and we congratulate them on the way it is progressing.