Tag Archives: 2013

Top 3 attributes for businesses to benefit from Data Analytics – an Information Security & Business process perspective

Screen Shot 2013-01-30 at 4.08.18 PMBig Data introduces an opportunity that organizations see when merging silo product operations together forming a service layer or an enhanced hybrid product. Big Data also requires exceptional enterprise intelligence from the perspective of establishing the scaffolding for enterprise grwoth. That scaffolding requires advanced information technology system and business process matrix visibility.  My thesis … let me elaborate below on a single thread here given this is a subject I have been developing on recently…

In order for Big Data to work it requires abundant access to systems, data repositories, and the merging and tweaking of data beyond original data owner expectations or comprehension. The enterprise that balances the advantage of Big Data analytics with superior scaffolding will appreciate higher run rates and profitability without unfunded cost centers and above trend OpEx generally. The opportunity of Big Data without this business intelligence will be squandered and the benefits not realized as a direct result.

The CIO has this ownership and it is the purview of the Audit Committee to ensure that these risks are understood and tackled. The Board of Directors have proven to value equally the aggressiveness of Data Analytics with the ongoing revaluation of the risk tolerance and acceptance points of the business. As one can imagine, this is a familiar yet distinct activity within the executive structure, but three key attributes / activities that indicate a successful approach are as follows:

  1. Vertical awareness – product awareness, strategy, and full line of sight for each major revenue center
  2. Scrum topical teams – risk assessments and activities linked to the product market research initiatives
  3. Senior strategy alignment – what does the Board seek in this DA movement; What does the CEO/CIO envision on these product expansions; What is the audit committee observations (meaning that they must have visibility and mindfulness to the impact)

Think Big Data is not huge business? … consider these figures:

  • Gartner: Big Data Market is Worth $3.7 Trillion, Generating Over 4 Million Jobs by 2015 – article
  • Good short presentation on value of pattern based strategies, by Gartner
  • $29B will be spent on big data throughout 2012 by IT departments.  Of this figure (Forbes)

Or a classic business case example:

“The cornerstone of his [Sam Walton’s] company’s success ultimately lay in selling goods at the lowest possible price, something he was able to do by pushing aside the middlemen and directly haggling with manufacturers to bring costs down. The idea to “buy it low, stack it high, and sell it cheap” became a sustainable business model largely because Walton, at the behest of David Glass, his eventual successor, heavily invested in software that could track consumer behavior in real time from the bar codes read at Wal-Mart’s checkout counters.

“He shared the real-time data with suppliers to create partnerships that allowed Wal-Mart to exert significant pressure on manufacturers to improve their productivity and become ever more efficient. As Wal-Mart’s influence grew, so did its power to nearly dictate the price, volume, delivery, packaging, and quality of many of its suppliers’ products. The upshot: Walton flipped the supplier-retailer relationship upside down.”Changing The Industry Balance of Power

A good (no paywall) article on Forbes here breaks down the IT spent related directly to Big Data and compares against prior years up to 2012 & by industry.  

Also check out this MIT Sloan article co-developed with IBM entitled Big Data, Analytics and the path from Insight to Value  – most interesting for me was page 23 relating to Analytics trumping intuition.  This relates to EVERY business process, product, sales opportunity, accounting, fraud detection, compliance initiative, security analytics, defense and response capabilities, power management, etc …  A worthwhile read for each executive.

Think strategically act vertically and influence horizontally – scale!

James DeLuccia IV

*See me speak at RSA 2013 on the topic – Passwords are Dead

A call to reflect on your Risk Management & Security Program: UPnP vulnerabilities identified by Rapid7

The Rapid7 folks ran scans for 5+ months searching for and finding systems vulnerable to 3 different types of vulnerabilities that relate to UPnP.  The sheer volume, accessibility, diversity of vendor, and age of some of these systems is most interesting from an operational business standpoint.  First a few statistics from the report:

  • 23 million IPs are vulnerable to remote code execution through a single UDP packet
  • At least 6,900 product versions vulnerable through UPnP.
  • List encompasses over 1,500 vendors
  • 1 UDP packet can exploit any one of 8 vulnerabilities to libupnp
  • Some vulnerabilities were 2+ years old, yet 300+ products still are using insecure version 

A great write-up is available here by Darlene at ComputerWorld (chock full of links to additional facts & CERT) and of course all comments and feedback should be directed to HD Moore’s blog.  The report was worth the read, and while the technical details are important, I would challenge the executives reading this paper to consider operationally how they would seek to manage the vulnerable systems in their organizations and how their internal processes are designed to ensure such similar technical (symptoms) vulnerabilities across different types of products do no recur.  Or at least, devising a methodology to mitigate the risk to technology such as this that cannot be patched (vendor is gone; management tools non-existent, etc…) or addressed directly on the same system.

As our business processes further rely on network connected devices, the age and velocity of the industry is a risk that we must manage.  Acquisitions, businesses going under, kickstarters coming & going, and simply protocols losing support in the dev environments ALL are mitigated by governance and risk assessment methodologies.

  • How is your strategic program designed; is it effective to these shifts in business; how can it be enhanced?
  • How is the partnership with procurement, M&A, and business relations teams?   >> Consider the inputs as well as enhancing your program.

Thanks to Rapid7 for the research and raising this broader risk.

James DeLuccia

*See me at RSA 2013 speaking on – Passwords are Dead

Latest report shows top attacking companies, 60x increases in attack intensity..

Latest report shows significant changes in the scale and type of attacks being executed, as recorded by one of the largest internet  infrastructure companies that includes additional data sources.  Akamai published their quarterly report today (January 23, 2013) and I am nearly through it … a few striking details that shift how I will recommend clients to identify; consider; and mitigate risks.  The top two items that are significant (one obvious) and important include:

  • China held its spot as the #1 source of observed attack traffic at 33%, with the United States at #2 at 13% (Not a huge surprise but an affirmation for many)
  • The amount of attack traffic that was seen during the activist (Operation Ababil) DDoS attacks was ~60x larger than the greatest amount of traffic that it had seen before for similar activist-related attacks (The volume, intensity, and strategy of the attacks is important as most do not consider a SIXTY TIMES in factor in risk mitigation calculations)

About the Akamai State of the Internet report 
Each quarter, Akamai publishes a “State of the Internet” report. This report includes data gathered from across the Akamai Intelligent Platform about attack traffic, broadband adoption, mobile connectivity and other relevant topics concerning the Internet and its usage, as well as trends seen in this data over time. Please visit www.akamai.com/stateoftheinternet

You can request access to (registration) the report here, and the individual images from the report available here.  There is also a great set of write-ups coming out here and here.

Senior leadership (board of directors, audit committee members, CIO, COO) must ensure these realities are absorbed into the organization’s business processes.  Leadership and strategy shifts required to tackle these evolutions remains an executive responsibility.

Best,

James DeLuccia IV

*See me speak at RSA 2013 in February on – The Death of Passwords

Social Media guidance from FFIEC and governed agencies .. up for comments!

The FFIEC released today (January 22, 2013) the “Social Media:  Consumer Compliance Risk Management Guidance” and is available here online.  The release is seeking comments and is a great opportunity to see where enforcement agencies are leaning; what are the concerns they are seeing on a macro scale, and their intended path to mitigating these unique areas.

“The 31-page proposal addresses how social media impacts compliance and legal risk, operational risk, reputational risk, and an increased risk of harm to consumers. While the agencies note that no additional regulations apply to social media, the relatively casual communication channels are not exempt from the rules, either.

According to the proposal, social media risk management programs should include a governance structure that includes how social media contributes to strategic goals, policies and procedures, third party due diligence, employee training, oversight, audit and compliance functions, and a reporting process.” – reference

Considering the velocity of the risks in this area and the lagging of legislation, it is fair to say that those even OUTSIDE the purview of the FFIEC, should strongly consider these as inputs to their compliance and security programs.

“The FFIEC invites comments on any aspect of the proposed guidance. It is specifically seeking comments on the following questions:

  1. Are there other types of social media, or ways in which financial institutions are using social media, that are not included in the proposed guidance but that should be included?
  2. Are there other consumer protection laws, regulations, policies or concerns that may be implicated by financial institutions’ use of social media that are not discussed in the proposed guidance but that should be discussed?
  3. Are there any technological or other impediments to financial institutions’ compliance with applicable laws, regulations, and policies when using social media of which the Agencies should be aware?”

Participate in the comments and invoking of these guidances here.

The guidance itself is again available here. (pdf)

Best,

James DeLuccia

*See me speak at the RSA 2013 Conference – Passwords are Dead (I’ll also be posting research elements on this site for the communities input)

Implications of BYOD .. cultural implications & Chief Executive considerations

BYOD ..

What is it?  Commonly referred to as Bring Your Own Device, it refers to the unstoppable trend of end-users within enterprises utilizing consumer devices in the word place.  This is a simplification, but captures the essence of how board of directors are using iPads, and how Facebook became a permitted service inside organizations.  (the Facebook example is a poor one, as that is an Application .. but that will be raised in a future discussion).

The challenge to enterprises is how to enable these end-users with these technologies?  How to gain efficiencies and advantage?  How to allow end-users to be happy with their ability to self select their devices.  As ultimately, the end-users within corporations are quite happy with their iPhones and such devices .. it is only the need of corporate IT to streamline the integration.

Here is where things become interesting …

BYOD in most regions of the world refers to “Bring” your own device, while in certain regions it refers to “Buy” your own device.  Ownership of the device is quite important legally, upon how someone uses that device, and what controls are generally accepted.

In the United States for instance – end-users Bring and Buy their own devices, generally.  This means that Corporate IT must wrestle with ownership, MDM, and a diverse device / OS ecosystem.  Such challenges center on the ability to fully wipe a device in case of a policy violation.  The capability to fully monitor and restrict via policy the permitted applications.  In addition simply utilizing the full breadth of technology on the device – i.e., conjoining GPS proximity technology with multifactor authentication to increase the confidence of user credentials when within corporate offices (a general uneasy concept with personal devices, but something magically simple when the whole device is owned and part of the operations and security ecosystem).

In other regions, such as in Europe, the devices are purchased by the business and provided to the end-users.

So is it really “BYOD” or not, for intents and purposes the end-user drive; the customization applied to these devices; the personalization, and such are all identical to that of the U.S. BYOD.  The difference is in HOW the user interfaces with the device and WHAT can be done to safeguard the device.

  • How is your organization managing these cross cultural perspectives?
  • How have you considered the cost and operational expenses of each BYOD?
  • What are the implications for security, compliance, and long term competitiveness (as it is ultimately being competitive that ensures that security and compliance will continue to matter)

Business operations, electing and incorporating mobile / BYOD technology is obviously a decision that has been made by most organizations.  Either by the rebelling user base, or through sanctioned programs.  The next field of play is to focus on the cultural aspects and embrace a forward looking vision at the emerging legislation related to such protections & expectations of consumers.

Culture eats strategy for lunch … so BYOD, please meet Culture.

Best,

James DeLuccia IV

Level setting your compliance security program

What is a good security compliance program? How do you measure the performance? How do you communicate and work with the senior leadership of your company the current state of operations and the future? A single approach to this would be to compare yourself against your peers. (Defining your peers is dependent upon each individual product and service. To often businesses classify their industry based on the business as a whole and lose sensitivity to the context of the individual service and product line.) More specifically when analyzing the security compliance program, specific areas and metrics can be considered (the specific competitiveness and leading indicators of your security compliance program must cover additional areas).

To consider the state of your security compliance program compared to your peers, the following points should be considered and tracked at the executive leadership level:

  1. How do you compare to your competitors? This statement alone requires that the leadership team of the security compliance program has these defined explicitly
  2. In the market place what deals have you won or lost, to whom, and what product / services were involved?
  3. What is the customer attrition – by customer type; rationale?
  4. What is the amount of queries being submitted to sales, engineers, customer support, and executives regarding security compliance to the business?

An analysis of these four points within the context of security compliance will clarify any areas where the program is negatively and positively effecting the market strength of the product and services for the business.

Thoughts and expansions?

James DeLuccia

An attribute of a mature security compliance program

The security compliance program of an enterprise is a core function in the achievement of sales, maintaining regulatory and contractual obligations, meeting the security challenges in a connected world, and achieving a balance of consistent operations while returning a profit for the business. A challenge within these programs, and especially for businesses do that do not have a consolidated mature program operating at the executive level is the transparency of cost and improvement of margins within operations.

Transparency of cost relates to the costs of supporting compliance, security, and privacy requirements within products and services. The lack of transparency can exist in many areas, but this article focuses on the specific costs related to reporting to third parties on the state of the compliance and security program. Cost of such can exist in any of the following scenarios:

  1. Sales person seeking to close a sale brings onboard an engineer and product manager to speak to / commit on security and regulation safeguards. Such initiation of new agreements may require a 250+ questionnaire to be completed by such an engineer that typically requires additional parties to respond – resulting in roughly 30-50 hours of engineer time x % of new deals signed annually)
  2. Help desk pulling in engineers to respond to security / compliance question submitted online (roughly 1-3 hours of engineer time x # of customer requests)
  3. Annual queries directed at engineers, leadership, product managers, and sales teams demonstrating security and compliance programs exist or controls specific to customer request are satisfied. Such annual queries may involve questionnaires as mentioned above (30 hours approximately to address), on-site audits, and 3rd party audit reports.

The end result of this singular area of cost is time taken from valuable engineers away from developing product, improving product, and executives focused on tactical activities. In addition, a non-optimized security compliance program does not gain any leverage by the above activities, so each activity is repeating past work. Zero scale is achieved.

Reflecting on your organization, improvements can be gained. An attribute that has proven beneficial is to consider the following that easily measurable and can be tracked:

  1. What is the unique number of security and compliance controls deployed within the products & services?
  2. What is the number of queries for each period?
  3. What is the number of FTE hours to address these queries? (the above are averages that I have seen, but analysis is worth refreshing for your organization)
  4. What is the number of interactions the individuals have with the customers?
  5. What is the current central approach to meeting the needs and responding to such queries?

The last question is leading to the idea that the program should be centralized in a manner to manage these questions centrally. This provides scale, lessons learned, and coordination across the business. The program itself when designed and tracked in such a manner becomes part of the sales process, account maintenance, and a regular touch point for the customer. Establishing the proper executive leadership and integrating this program is critical to every direct to consumer business, and more so for the rapidly growing technology services sector.

Thoughts?

James DeLuccia