Category Archives: information security

Information Security executives … is responsibility being abdicated?

Is “it is your decision not ours” statement and philosophy a cop-out within the Information Security sphere?

This is a common refrain and frustration I hear across the world of information security and information technology.  Is this true?  Is it the result of personality types that are attracted to these roles?  Is it operational and reporting structure?

In Audit it is required for independence and given visibility. Does not the business (the CIO) and the subject expertise (CISO) not have that visibility possess a requirement of due care to MAKE it work?

The perfect analogy is the legal department – they NEVER give in and walk away with a mumble, they present their case until all the facts are known and a mutual understanding is reached. Balance happens but it happens with understanding.

This point is so important to me, that it warranted a specific sharing of the thought.  I hope we can reframe our approach, and to follow a presentation off TED – focus on the WHY.  (need to find link…sorry)   These individuals in these roles provide the backbone and customer facing layer of EVERY business.

Thoughts and realizations made from stumbling around our community and today during RSA resulting from the presentations with underlying tones.

Always seek,

James DeLuccia

My RSA Conference Notes and perspective – Tuesday AM 2013

Today kicked off, for me, the RSA conference. The best part of these types of events is the onslaught of ideas shared between peers – generally through networking and random encounters in hallways (such as bumping into Bill Brenner). Thanks first off to RSA for creating the forum for these discussions to occur.

I have the privilege of speaking tomorrow, and look forward to the debate and flow of ideas that will ensue.
While reviewing some of the research provided to attendees, I had the following observations, and wanted to share them in entirety for debate and expansion:

Vendor management by procurement SHOULD include data plus asset chain of custody, and #infosec assurance to YOUR standards#RSAC

So basically – costs per breach are up; # attacks higher; 6 more days to resolve, & the same forms of attack #rsachttp://lockerz.com/s/285234702

Aren’t costs per breach up in 2012 to $8.9 million the result of our greater leverage of information technology & resulting value!

Most botnet, malware, & C&C operators manage MORE devices; across WIDER geographies, & generate a positive ROI. How is your information security?

#rsac Art’s presentation was good. Agree with Taleb perspective, but it must applied at Org to match robustness #infosec

Art Coviello gave an impassioned presentation that I thought was very good for a keynote at that level. Typically there is a risk of sales (which did occur at the end, of course) material, but a couple good analogies and mental positioning. I thought his analogy to Nassim Taleb’s AntiFragile was on point (and funny since I am 1/3 through it, so very fresh in the mind) for the security operations against the cyber threats. I would expand it though to include the business process and information security compliance program. I have found that the block and tackle of information security itself needs to be robust and antifragile. The lacking of these elements forfeits the benefits of the threat intelligence he describes.

This is especially poignant to me given the relative lack of volatility in the type of attacks that succeed against organizations, and their ongoing effectiveness in breaching our company defenses.

If you are looking to enjoy the keynotes (I would recommend at least Art and Scott Charney) live or on-demand here.

RSA thoughts and sessions .. to be continued ..

Best,

James DeLuccia

Top 3 attributes for businesses to benefit from Data Analytics – an Information Security & Business process perspective

Screen Shot 2013-01-30 at 4.08.18 PMBig Data introduces an opportunity that organizations see when merging silo product operations together forming a service layer or an enhanced hybrid product. Big Data also requires exceptional enterprise intelligence from the perspective of establishing the scaffolding for enterprise grwoth. That scaffolding requires advanced information technology system and business process matrix visibility.  My thesis … let me elaborate below on a single thread here given this is a subject I have been developing on recently…

In order for Big Data to work it requires abundant access to systems, data repositories, and the merging and tweaking of data beyond original data owner expectations or comprehension. The enterprise that balances the advantage of Big Data analytics with superior scaffolding will appreciate higher run rates and profitability without unfunded cost centers and above trend OpEx generally. The opportunity of Big Data without this business intelligence will be squandered and the benefits not realized as a direct result.

The CIO has this ownership and it is the purview of the Audit Committee to ensure that these risks are understood and tackled. The Board of Directors have proven to value equally the aggressiveness of Data Analytics with the ongoing revaluation of the risk tolerance and acceptance points of the business. As one can imagine, this is a familiar yet distinct activity within the executive structure, but three key attributes / activities that indicate a successful approach are as follows:

  1. Vertical awareness - product awareness, strategy, and full line of sight for each major revenue center
  2. Scrum topical teams – risk assessments and activities linked to the product market research initiatives
  3. Senior strategy alignment – what does the Board seek in this DA movement; What does the CEO/CIO envision on these product expansions; What is the audit committee observations (meaning that they must have visibility and mindfulness to the impact)

Think Big Data is not huge business? … consider these figures:

  • Gartner: Big Data Market is Worth $3.7 Trillion, Generating Over 4 Million Jobs by 2015 – article
  • Good short presentation on value of pattern based strategies, by Gartner
  • $29B will be spent on big data throughout 2012 by IT departments.  Of this figure (Forbes)

Or a classic business case example:

“The cornerstone of his [Sam Walton’s] company’s success ultimately lay in selling goods at the lowest possible price, something he was able to do by pushing aside the middlemen and directly haggling with manufacturers to bring costs down. The idea to “buy it low, stack it high, and sell it cheap” became a sustainable business model largely because Walton, at the behest of David Glass, his eventual successor, heavily invested in software that could track consumer behavior in real time from the bar codes read at Wal-Mart’s checkout counters.

“He shared the real-time data with suppliers to create partnerships that allowed Wal-Mart to exert significant pressure on manufacturers to improve their productivity and become ever more efficient. As Wal-Mart’s influence grew, so did its power to nearly dictate the price, volume, delivery, packaging, and quality of many of its suppliers’ products. The upshot: Walton flipped the supplier-retailer relationship upside down.”Changing The Industry Balance of Power

A good (no paywall) article on Forbes here breaks down the IT spent related directly to Big Data and compares against prior years up to 2012 & by industry.  

Also check out this MIT Sloan article co-developed with IBM entitled Big Data, Analytics and the path from Insight to Value  – most interesting for me was page 23 relating to Analytics trumping intuition.  This relates to EVERY business process, product, sales opportunity, accounting, fraud detection, compliance initiative, security analytics, defense and response capabilities, power management, etc …  A worthwhile read for each executive.

Think strategically act vertically and influence horizontally – scale!

James DeLuccia IV

*See me speak at RSA 2013 on the topic – Passwords are Dead

Managing information Security in an ever changing environment

Can a network be defended and secured?  Of course, observe the red team / blue team activities that are executed by businesses, governments, and at conferences.  There is one catch, these do not reflect reality.  Businesses are living networks and under constant change either directly encouraged or indirectly effected by the windows of the market and universe as a whole.

A fine quote that brought this to bear for me was published in an NSA publication stating: “One simply must realize that while the search for the right foundations proceeds, construction will continue.” where the article describes how the Duomo in Florence was built without an understanding of how to build the planned dome at the top.  That is akin to information security today – the challenge and task of information security is to build and execute a security program that reflects that the business is in constant development, and we will not always “know” what is effective for where we are going.  Think Mobile and Cloud security as the current sources of concern and challenge.

The takeaway is to recognize that the standards organizations build their security programs upon (ISO 27001, NIST) and are regulated / audited against (PCI DSS, NERC/FERC) are in themselves in a constant state of change.  This is only matched by the dynamics of the changing foundations of what information security is protecting (mobile, cloud, etc..) and the market demands placed on the organization.  Being still is not the answer, but instead iterating rapidly with a conscious focus on the strategy of the organization with an enabling security program will enhance the longevity of the organization and the relative effectiveness of the security compliance program itself.

NSA Article referenced:  “Cybersecurity: From engineering to science” by Carl Landwehr

Other thoughts?

James DeLuccia IV

Elevating your Vendor / Supply Chain risk assessment

This past few weeks I have been working with a few clients and researchers on the vendor side / supply chain risk of business operations.  The common place activities of course exist, and include at least:

  1. Weighing the criticality of each vendor (to refer to supply chain too moving forward) to operational state of the business
  2. Weighing aspects of regulatory and contractual mandates of said vendor
  3. Weighing classic #infosec considerations – C.I.A. ++
  4. Establishing a tiered system of vendor management practices based upon data, system access, and of course points 1 & 2 above.
  5. Executing and evaluating these vendors through an actual evaluation of their operations (appropriate scope applied) to ensure that security and operational activities are in place for YOUR business dependent assets — this is key here: a powerpoint presentation is not satisfactory, period.  It does not matter who the vendor is – big, small, big brand, or otherwise…  the vendor assessment is not satisfied with this type of response, and should be considered a fail and raised to management to consider next steps.)
  6. Tight integration with legal, procurement, and risk management to ensure that (garbage in and garbage out) good vendors are added, and that actions can be taken balancing the strategic need of the business properly.
  7. Severe relationships with vendors that do not meet the requirements of your business

Now the above doesn’t mean establish a static assessment approach with a litany of questions pulled from the internet, but instead should be a thoughtful key set of controls that the vendor MUST address and maintain over the course of the relationship.

Generally, the above are quite standard and commonplace..  What recently has been interesting to me is (pardon the use of an industry phrase) the use of ‘out-of-band’ signals regarding vendor and supply chain risk.  I shared two of these thoughts online today on twitter:

  • How often does your risk assessment & vendor mgmt program factor in supply chain risk? Low hanging fruit: Monitor their breaches
  • Who follows the 10-k filings of key businesses that are suppliers and peers at the CSO / CRO / CISO level?  These are key inputs into where vendors are setting their priorities, and any red flags (infosec issues; operational concerns; financial challenges)

It is imperative today to KNOW what vendors (supply chain) participate in your organization, and extend the vendor program to bring these into consideration.

There are many other areas to consider, and I would love to hear others ideas .. here or @jdeluccia

Cheers,

James DeLuccia