Archive for the ‘Strategic Planning’ category

The Future of Corporate IT: Implications for Information Risk, Part 1

May 18, 2010

Two weeks ago we shared with you findings from the broader IT practice research effort about five trends that will reshape corporate IT functions in the next five years. In the next few posts we want to discuss with you risk and security implications arising from those trends. Here we tackle the first of the three trends postulated by the > future of corporate IT.



The Future of Corporate IT: 5 Radical Shifts in IT Value, Ownership and Role

May 4, 2010

We here at IREC are part of the IT Practice of the Corporate Executive Board. The IT Practice has just released what is probably the most important research we have done in years: The Future of Corporate IT.

The Future of Corporate IT

Our research series on The Future of Corporate IT is based on interviews and surveys with IT and business leaders at over 200 organizations, and on our analysis of business, social, and technology trends. As a result, we find that there are five shifts underway that will radically change how technology is used to create value and how the IT function is structured and managed. These shifts will upend job descriptions across IT management and result in a massive translocation of IT do-ers.


Should an Information Risk Manager Manage “Risk?”

March 7, 2010

Great Minds Think Alike

This post will summarize a provocative presentation at the RSA conference on Tuesday by long time security practitioner Donn Parker, and detail a similar approach that IREC has been recommending which we call Controls Maturity Assessment (CMA). We have previously referenced our CMA work in this blog, especially in this post. What is provocative about these approaches is that they both suggest making risk assessment a secondary consideration in your information protection strategy. (more…)

IT is changing..Again?

February 8, 2010

In the past few years IT organizations have seen multiple organizational transformations: some have centralized and others have decentralized. So when I heard a senior researcher talk about another transformative organizational change, I had the usual reaction of “yawn” followed by healthy skepticism. What got my attention though were the following three trends and potential implications for CISOs:

1) Business units will bypass IT to directly buy both devices and software. We have already seen examples of these in the social media space where human resources used facebook for recruiting and sales organizations bought 500 salesforce licenses without having discussions with corporate IT and CISOs. This has major implications for CISOs as they loose their traditional listening posts from inside centralized IT and ability to provide prevent risky technology and software from entering the corporate IT infrastructure.

Some CISOs already have lists of approved consumer devices but they should also start including SaaS type applications that could be realistically purchased by the business in that list. Assurance for these applications might involve conducting third party assessments for “future third parties”. NAC’s maybe another technology that CISO’s would consider deploying further to ensure that only approved devices are connecting to the network.

Gamma’s Third Party Assessment Questionnaire
Teleconference on Network Access Control Implementation

2) Data will become more critical than business processes. Rather than providing automation IT organizations will be tasked with providing information and value will be added by linking multiple different sources: from legacy and unstructured sources to help with critical business decisions. With data becoming easily accessible and combined in useful forms there is always danger that the same data could also be combined to reveal individual identity i.e. “date of birth”, zip code, and gender could help you uniquely identify a person.

Risk assessments that currently only focus on applications or even business process will need to be updated to include data and the scope of these assessments will need to double click on contextual data loss risk. Updating and training end users on data classification guides will also become more critical.

DuPont company’s data focused risk assessment

3) IT is embedded in a newly created business services organization. Rather than IT offering end user computing, a new business services organization will be created consisting of corporate functions like Finance, HR, and IT that will offer business service titled “ New Employee Hiring” that includes the human resources (interviewing, hiring, orientation, background…) , information technology (identity management, provisioning, laptop…), and Finance (payroll, bonus….). These are the units of services that business will order rather than the individual components. This calls for high degree of integration between information security both at the IT level and at business level.

This trend while causing angst around org structure and governance may actually help CISOs by providing cross functional perspective on risk. The downside is that IT risks may not receive the same weight and therefore the resources when compared some of the other risks in the enterprise.

Top 10 Enterprise Risks

One More Prediction for 2010, But Are We Going to Heed It?

December 28, 2009

In our last post we gathered together the pundits’ predictions for 2010, but perhaps predictably (sorry), they seem to be more about a focus on surprise and novelty than actual risk-based predictions. In fact, few of these pundits even mention what is probably the greatest risk of 2010.  Even worse, even those who know what that risk is are not acting strongly enough to manage it. (more…)

Top 10 List of Top 10 Lists

December 17, 2009

It is that time of year when everyone likes to make their predictions for next year.  IREC just released our own list (see the previous post).  We thought it would be fun to round up the security-related prediction lists we could find (many are not actually “top 10” but some other number).  By gathering them in one place, we can compare and contrast them to see how much agreement there is (not much).  Also, it will make it easy to come back in 12 months and see who was the most accurate!

  1. IBM and Sophos
  2. Websense
  3. Symantec
  4. Zscaler
  5. Symantec (again)
  6. IBM (again)
  7. Lee Clemmer
  8. Fortinet
  9. Mark Weatherford, CISO, State of California
  10. Dan Kaminsky (same article as above)

Edited to add 11 and 12: Howard Schmidt, former eBay CISO and vice chairman of the President’s Critical Infrastructure Protection Board, and the folks from ICSA Labs.

A few trends that showed up on several lists:

  • Increasing use of social media sites as an attack vector
  • Cyber criminals increasingly use “the cloud” as a resource (use it legitimately, not an attack vector)
  • MacOS-targeted malware increases, resulting in a stronger  security stance at Apple
  • The cloud will be a big security risk. Or it will make things better.  Or something.

Edited to add a new common trend: Windows 7 will contain security flaws.

I don’t think it’s a knock on Microsoft to say that predicting that software as complex and multifaceted as Windows 7 will have security flaws is about as useful as predicting that the sun will come up tomorrow.

Edited to add 13: another 10 from Verizon Business’ Security Blog. Two of their predictions are in direct opposition to the trends we pulled from the other lists. They believe Win7 will be surprisingly robust, and that Macs will not be a special target of attacks.

Howard Schmidt, former eBay CISO and vice chairman of the President’s Critical Infrastructure Protection Board, and the folks from ICSA Labs

10 Information Risk Imperatives for 2010

December 15, 2009

The  2010 information risk landscape will be defined by continued uncertainty in the broader business environment and the ongoing evolution of enterprise boundaries.  Organizations that effectively manage the downside risks to information in this environment will be well positioned to take advantage of the new opportunities that such an environment brings.

IREC has just published our 10 imperatives for 2010 that CISOs should consider in advance of the new year.  In particular, CISOs should be prepared for structural changes on four fronts:

  1. IT Architecture – More widespread adoption of cloud computing technologies will mean that IT infrastructure and data increasingly reside outside of traditional enterprise boundaries, beyond the direct control of the IT and Information Risk teams.
  2. IT Innovation – The ease of adoption associated with social media technologies, Windows 7 (which most organizations will be using by 2011), and other user-developed applications platforms means that business users, not IT, will be driving some of the most visible and potentially risky changes in IT.
  3. Risk Ownership – New regulations on the horizon and a board-level focus on cross-functional partnerships dedicated to risk management means CISOs will be called upon to share risk ownership with an increasing number of partners.
  4. Geographic Diversification – With limited growth forecast for OECD economies in 2010, many enterprises will be shifting emphasis into higher-growth but less familiar emerging markets, potentially requiring additional risk assessment and bespoke mitigation solutions.

After the jump, I’ve included the full list.  If your company’s not a member of the Council but you’re interested in more details, shoot me an e-mail at gyoung (at) executiveboard (dot) com.

What trends did we leave out?  What trends are most important to you?