Archive for February 2010

Information Risk Metrics — Necessary But Not Sufficient

February 15, 2010

IREC members overwhelmingly report that improving the information risk metrics program is at or near the top of their agenda for 2010.  Almost to an individual, CISOs tell us that the ROI calculation for their metrics program isn’t nearly what it should be.  Years of ongoing investment—staff time to collect and report metrics, expensive technologies to aggregate data feeds, etc.—have led to just a marginal improvement in tangible outcomes.

Organizations use metrics in the service of three major outcomes: 1) Communicate persuasively with executives; 2) Improve internal efficiency; and 3) Track the risk landscape.  In each case, good metrics are a necessary but not sufficient mechanism for solving the problem, and leading organizations are working to find the correct balance between metrics and other decision tools. (more…)


New Rules for Hiring Information Security Staff

February 12, 2010

Last week, I spent two days with a small group of Fortune 500 CISOs at IREC’s offices in Arlington, talking about 2010 investments. The conversation reflected a worry from CISOs that I’ve heard frequently in my travels over the past year: that the recession’s acceleration of business rate-of-change, combined with continued “innovation” from external threats, means CISOs are starting to fall short on the talent required to keep up with such changes.

Increasingly, the controls needed to achieve our key outcomes—information protection, compliance, and resiliency—are outside our direct purview.  We are spending most of our time negotiating with business and IT partners to implement necessary controls…but since the CISO can’t be everywhere at once, we desperately need security staff that can do the same thing.  We need people who are skilled at influencing others to action.

Yet most of us still hire primarily for technical skills—invaluable once you’ve secured executive buy-in to implement a given control, but technical staff tend to think in terms of black-and-white, not the shades of gray required to negotiate with and convince skeptical (and budget-constrained) business executives who have other priorities than information security.

In our seminal work on Boosting CISO Effectiveness (full study behind the IREC paywall), the analysis identified a number of highly effective techniques for hiring and training leadership-level security talent. Here are our Top Three tips:

Look to Non-Traditional Sources of Talent: office of the COO, customer service…or what about marketing? (Sound crazy?  CISOs often cite Marketing as the division most difficult to work with—how valuable would it be to have one of “them” working for us?).  One CISO out in Palo Alto said that his most effective people are ex-WebSphere developers.  They have cross-platform (and cross-tower) technical knowledge, but also extensive experience liaising directly with business partners.

Prioritize Project Management Experience: this goes to whether a potential new hire can self-recognize if they are getting stuck in the weeks, or spending too much time “doing” the technical work themselves.  Project management is a signal that the individual has experience working with different stakeholders, and you can learn more about that to gauge their effectiveness at negotiation and communication.  Unisys (behind IREC paywall), has a best-practice program that highlights the key skills that these folks should have.

Own staff development yourself: Once you have hired the right people with the communication and business savvy you need, don’t neglect developing those folks: IREC collaborated with our good friends in the Learning & Development Roundtable to develop a program for Leaders to develop other leaders (behind IREC paywall), that you ought to have a look at.  There is no substitute for Leader-led development.

Bottom line: our environment has and continues to change, and the implication for Information Security is that we need much more than ever before to “influence others to action.”    If we don’t begin to augment our skill-set now, we’re liable to end up with a list of well-prioritized initiatives that we simply can’t execute.

IT is changing..Again?

February 8, 2010

In the past few years IT organizations have seen multiple organizational transformations: some have centralized and others have decentralized. So when I heard a senior researcher talk about another transformative organizational change, I had the usual reaction of “yawn” followed by healthy skepticism. What got my attention though were the following three trends and potential implications for CISOs:

1) Business units will bypass IT to directly buy both devices and software. We have already seen examples of these in the social media space where human resources used facebook for recruiting and sales organizations bought 500 salesforce licenses without having discussions with corporate IT and CISOs. This has major implications for CISOs as they loose their traditional listening posts from inside centralized IT and ability to provide prevent risky technology and software from entering the corporate IT infrastructure.

Some CISOs already have lists of approved consumer devices but they should also start including SaaS type applications that could be realistically purchased by the business in that list. Assurance for these applications might involve conducting third party assessments for “future third parties”. NAC’s maybe another technology that CISO’s would consider deploying further to ensure that only approved devices are connecting to the network.

Gamma’s Third Party Assessment Questionnaire
Teleconference on Network Access Control Implementation

2) Data will become more critical than business processes. Rather than providing automation IT organizations will be tasked with providing information and value will be added by linking multiple different sources: from legacy and unstructured sources to help with critical business decisions. With data becoming easily accessible and combined in useful forms there is always danger that the same data could also be combined to reveal individual identity i.e. “date of birth”, zip code, and gender could help you uniquely identify a person.

Risk assessments that currently only focus on applications or even business process will need to be updated to include data and the scope of these assessments will need to double click on contextual data loss risk. Updating and training end users on data classification guides will also become more critical.

DuPont company’s data focused risk assessment

3) IT is embedded in a newly created business services organization. Rather than IT offering end user computing, a new business services organization will be created consisting of corporate functions like Finance, HR, and IT that will offer business service titled “ New Employee Hiring” that includes the human resources (interviewing, hiring, orientation, background…) , information technology (identity management, provisioning, laptop…), and Finance (payroll, bonus….). These are the units of services that business will order rather than the individual components. This calls for high degree of integration between information security both at the IT level and at business level.

This trend while causing angst around org structure and governance may actually help CISOs by providing cross functional perspective on risk. The downside is that IT risks may not receive the same weight and therefore the resources when compared some of the other risks in the enterprise.

Top 10 Enterprise Risks

Shiny objects

February 4, 2010

We have said it before, and we’ll probably say it again, but Information Security groups would do a lot better to get better at the basics than to worry about each new threat and chase down every new technology that vendors bring along.

  • December 28 (The old risk of end-user carelessness is much bigger than all the risks pundits put on their predictions of risks for 2010)
  • November 5 (Focus on the nuts and bolts of access control, but don’t succumb to scope creep)
  • October 8 (Think about your activities as a maintaining your key controls rather than the fool’s errand of quantifying risk)
  • June 10 (Ever-expanding security budgets that accommodate these new technologies may be outpacing residual risk)

A new report says the same thing.

The iPad’s Reminder: Weigh the Risk and Benefit of Consumer Technologies in the Enterprise

February 2, 2010

Apple’s announcement last week heralding the arrival of the iPad provides a distinct reminder of the challenges information risk organizations must address in the “consumerization” era of IT. With the line between corporate and personal technology rapidly disappearing, CISOs must find the delicate balance between supporting adoption of technologies that improve productivity and managing the accompanying downside risks. (more…)