Archive for the ‘Uncategorized’ category

Our First Anniversary

May 7, 2010

One year ago today we kicked off this blog. Since then we have had 52 posts and almost 10,000 page views.

Our most popular post over the first year was about Five Properties of Passwords that Must be Managed to Reduce Risk.

We celebrated our anniversary a little early last week by updating the blog’s header with the Corporate Executive Board’‘s new logo.

We would like to thank everyone who has visited the site and commented on our posts for helping make our first year of blogging a success.


“Computer/Network Security Consultant” is the 8th best job in America

March 11, 2010

See this infographic on

Disagreements welcome in the comments section!

Desktop Virtualization a tool for mitigating third party risk?

March 9, 2010

According to a recent report published by the Infrastructure Executive Council, a majority of 100+ organization surveyed plan to adopt Desktop Virtualization in 2009-2010 time frame. Most members have stated that cost savings are the #1 driver, followed closely by security and mobility. What’s interesting is that over the long run security and mobility might become bigger drivers for adoption as some of the cost savings from hardware and software costs will be balanced by increased costs in the data center.

As of now most members are using the technology for certain categories of workers where there is low need of desktop customization: offshore, contract, outsourced, and call center. Since this is also the group that information risk cares about from a data leakage perspective, this would be a win-win situation for both infrastructure and security teams. We should see even more companies selecting this technology for targeted deployment in 2010.

Drivers of Desktop Virtualization

New Rules for Hiring Information Security Staff

February 12, 2010

Last week, I spent two days with a small group of Fortune 500 CISOs at IREC’s offices in Arlington, talking about 2010 investments. The conversation reflected a worry from CISOs that I’ve heard frequently in my travels over the past year: that the recession’s acceleration of business rate-of-change, combined with continued “innovation” from external threats, means CISOs are starting to fall short on the talent required to keep up with such changes.

Increasingly, the controls needed to achieve our key outcomes—information protection, compliance, and resiliency—are outside our direct purview.  We are spending most of our time negotiating with business and IT partners to implement necessary controls…but since the CISO can’t be everywhere at once, we desperately need security staff that can do the same thing.  We need people who are skilled at influencing others to action.

Yet most of us still hire primarily for technical skills—invaluable once you’ve secured executive buy-in to implement a given control, but technical staff tend to think in terms of black-and-white, not the shades of gray required to negotiate with and convince skeptical (and budget-constrained) business executives who have other priorities than information security.

In our seminal work on Boosting CISO Effectiveness (full study behind the IREC paywall), the analysis identified a number of highly effective techniques for hiring and training leadership-level security talent. Here are our Top Three tips:

Look to Non-Traditional Sources of Talent: office of the COO, customer service…or what about marketing? (Sound crazy?  CISOs often cite Marketing as the division most difficult to work with—how valuable would it be to have one of “them” working for us?).  One CISO out in Palo Alto said that his most effective people are ex-WebSphere developers.  They have cross-platform (and cross-tower) technical knowledge, but also extensive experience liaising directly with business partners.

Prioritize Project Management Experience: this goes to whether a potential new hire can self-recognize if they are getting stuck in the weeks, or spending too much time “doing” the technical work themselves.  Project management is a signal that the individual has experience working with different stakeholders, and you can learn more about that to gauge their effectiveness at negotiation and communication.  Unisys (behind IREC paywall), has a best-practice program that highlights the key skills that these folks should have.

Own staff development yourself: Once you have hired the right people with the communication and business savvy you need, don’t neglect developing those folks: IREC collaborated with our good friends in the Learning & Development Roundtable to develop a program for Leaders to develop other leaders (behind IREC paywall), that you ought to have a look at.  There is no substitute for Leader-led development.

Bottom line: our environment has and continues to change, and the implication for Information Security is that we need much more than ever before to “influence others to action.”    If we don’t begin to augment our skill-set now, we’re liable to end up with a list of well-prioritized initiatives that we simply can’t execute.

The iPad’s Reminder: Weigh the Risk and Benefit of Consumer Technologies in the Enterprise

February 2, 2010

Apple’s announcement last week heralding the arrival of the iPad provides a distinct reminder of the challenges information risk organizations must address in the “consumerization” era of IT. With the line between corporate and personal technology rapidly disappearing, CISOs must find the delicate balance between supporting adoption of technologies that improve productivity and managing the accompanying downside risks. (more…)

CISOs Need to Interpret the China / Google Situation for Their Companies

January 21, 2010

There is a press firestorm over Google’s announcement that it and other organizations were attacked from within China, and that Google will stop censoring, even if it means it has to pull out of the country. This feels like an Information Security story, but is it? Does this change anything for CISOs, and if so, what?


Is risk management getting too ‘mechanized’?

October 8, 2009

I was at a recent meeting we hosted for leading South African CISOs in Johannesburg. We were discussing the pros and cons of risk quantification models when one of the participants said: “I worry that attempting to quantify risks is leading us to ignore sound judgment as a decision-making tool. We believe more in the number that the system spits out rather than the instinct and advice of individuals who understand the terrain and the business context.”

Quantifying information risk and producing a single number for residual risk levels at a company is considered the holy grail for information risk professionals worldwide. It is considered an essential tool to systematize the ever-changing world of information risks. This CISO was arguing for “a return of judgment” in risk decision-making.

Interestingly enough, the latest (October 2009) issue of the Harvard Business Review (login required) makes a similar argument in its ‘Spotlight on Risk’ Issue. In an article titled “The Six Mistakes Executive Make in Risk Management”, the authors argue that
“Instead of trying to anticipate low-probability, high-impact events, we should reduce our vulnerability to them. Risk management, we believe, should be about lessening the impact of what we don’t understand – not a futile attempt to develop sophisticated techniques and stories that perpetuate our illusions of being able to understand and predict the social and economic environment.”

The fundamental questions that Information Risk professionals need to answer are:
– Where and how do quantification models help?
– How can use them to supplement sound judgment (and not substitute for it)?
– How can we help our team members get a better understanding of the business context they operate in to help them make the right decisions?

In IREC, we have taken the view that CISOs have a better shot at understanding their controls environment and plug obvious gaps in their controls portfolio than invest time and effort in building out sophisticated risk models. In other words, how do we reduce our vulnerability to high impact events by strengthening our controls.

Some would say that it is only pragmatic given that most companies don’t have good actuarial data on threats, loss events and the like. Others would consider it is heretical that Information Risk professionals are calling into question the very need for risk quantification. What is your view?