The Future of Corporate IT: Implications for Information Risk, Part 1

Posted May 18, 2010 by Jeremy Bergsman
Categories: Information Risk Governance, Strategic Planning, The Future of IT, Third-party risk

Two weeks ago we shared with you findings from the broader IT practice research effort about five trends that will reshape corporate IT functions in the next five years. In the next few posts we want to discuss with you risk and security implications arising from those trends. Here we tackle the first of the three trends postulated by the > future of corporate IT.

Read the rest of this post »


Our First Anniversary

Posted May 7, 2010 by IREC
Categories: Uncategorized

One year ago today we kicked off this blog. Since then we have had 52 posts and almost 10,000 page views.

Our most popular post over the first year was about Five Properties of Passwords that Must be Managed to Reduce Risk.

We celebrated our anniversary a little early last week by updating the blog’s header with the Corporate Executive Board’‘s new logo.

We would like to thank everyone who has visited the site and commented on our posts for helping make our first year of blogging a success.

The Future of Corporate IT: 5 Radical Shifts in IT Value, Ownership and Role

Posted May 4, 2010 by Jeremy Bergsman
Categories: Cloud Computing, Information Risk Governance, Risk Management, Strategic Planning, The Future of IT, Web 2.0 / Collaboration tools

We here at IREC are part of the IT Practice of the Corporate Executive Board. The IT Practice has just released what is probably the most important research we have done in years: The Future of Corporate IT.

The Future of Corporate IT

Our research series on The Future of Corporate IT is based on interviews and surveys with IT and business leaders at over 200 organizations, and on our analysis of business, social, and technology trends. As a result, we find that there are five shifts underway that will radically change how technology is used to create value and how the IT function is structured and managed. These shifts will upend job descriptions across IT management and result in a massive translocation of IT do-ers.

Read the rest of this post »

Avoid the 2 common mistakes when formalizing information risk governance

Posted April 9, 2010 by Jeremy Bergsman
Categories: Information Risk Governance

Governance of information risks is usually pretty informal. The Information Risk function has to do most of the work identifying risks and trying to get others to “do the right thing”, whether that be to not click on links in random emails, to code applications securely, or to conduct thorough due diligence before business process outsourcing.

For obvious reasons, we would like this governance to be more formal. If everybody knew when risk decisions needed to be made, and who should make them, fewer things would slip through the cracks and the security function wouldn’t have to do so much of the work!

However, we believe that many organizations that try to formalize information risk governance go about it the wrong way. Read the rest of this post »

Checklists will not increase your Cloud Computing Security

Posted April 6, 2010 by Parijat Jauhari
Categories: Cloud Computing, Third-party risk

While most members are looking for differences between outsourcing and cloud computing, and developing better assessments to evaluate cloud vendors – a recent discussion between a few IREC members has provided a framework for a different approach to cloud vendors. One of the members in the panel has decided to completely drop the checklist approach to reviewing cloud vendors. He believes that the traditional approach of using ISO 27001 or NIST based questionnaires does not work well with the cloud vendors for a variety of reasons. First most vendors at this time are too new to have the security assessment process down to a point where they can respond to ISO/NIST based assessments. Second vendors are hesitant about putting to paper any information on paper that can leak and reduce their competitive edge in this rapidly growing market. Third the storage of information in the cloud can sometimes make traditional assessment unfeasible – for example Google can break and store your information in 200 different locations in multiple countries making traditional location assessment impractical while simultaneously making it harder for a breached information to be meaningfully used by hackers.   

 This obviously means that CISOs whose companies are moving forward with cloud computing initiatives at this time have to assume a lot of risk  So what shoud CISOs of those company’s do? First have a discussion about security with your cloud vendor. CISOs at first mover companies  have connected their security team with the vendors security team and found that a conversation has allayed most of their fears. Two most cloud vendors have better security controls than anything developed in house. As one CISO said “All cloud vendors are in the security business, one breach and their business is over because hackers will get every companies data. They have a lot of reasons to protect this data.” Finally have vendors buy insurance against your contract so that if a breach does happen and everyone is suing the cloud vendor, the insurance can pay your comapny off.

Obviously these recommendations are more relevant to those security folks who have to move to the cloud now. The consensus from the folks in the call was as cloud vendor’s start getting more mature they will obtain NIST or ISO certifications that can be used in assessments and will also develop better processes to respond to third party assessment requests.

2010 Information Security Outlook

“Computer/Network Security Consultant” is the 8th best job in America

Posted March 11, 2010 by Jeremy Bergsman
Categories: Uncategorized

See this infographic on

Disagreements welcome in the comments section!

Desktop Virtualization a tool for mitigating third party risk?

Posted March 9, 2010 by Parijat Jauhari
Categories: Risk Management, Third-party risk, Uncategorized

According to a recent report published by the Infrastructure Executive Council, a majority of 100+ organization surveyed plan to adopt Desktop Virtualization in 2009-2010 time frame. Most members have stated that cost savings are the #1 driver, followed closely by security and mobility. What’s interesting is that over the long run security and mobility might become bigger drivers for adoption as some of the cost savings from hardware and software costs will be balanced by increased costs in the data center.

As of now most members are using the technology for certain categories of workers where there is low need of desktop customization: offshore, contract, outsourced, and call center. Since this is also the group that information risk cares about from a data leakage perspective, this would be a win-win situation for both infrastructure and security teams. We should see even more companies selecting this technology for targeted deployment in 2010.

Drivers of Desktop Virtualization