Tag Archives: ciso

How to determine how much money to spend on security…

A question that many organizations struggle with is how much is the appropriate money to spend annually per user, per year on information security. While balancing security, privacy, usability, profitability, compliance, and sustainability is an art organization's have a new data point to consider.

Balancing – information security and compliance operations

The ideal approach that businesses take must always be based on internal and external factors that are weighted against the risks to their assets (assets in this case is generally inclusive of customers, staff, technology, data, and physical-environmental). An annual review identifying and quantifying the importance of these assets is a key regular exercise with product leadership, and then an analysis of the factors that influence those assets can be completed.

Internal and external factors include a number of possibilities, but key ones that rise to importance for business typically include:

  1. Contractual committments to customers, partners, vendors, and operating region governments (regulation)
  2. Market demands (activities necessary to match the market expectations to be competitive)

At the aggregate and distributed based upon the quantitative analysis above, safeguards and practices may be deployed, adjusted, and removed. Understanding the economic impact of the assets and the tributary assets/business functions that enable the business to deliver services & product to market allows for a deeper analysis. I find the rate of these adjustments depend on the business industry, product cycle, and influenced by operating events. At the most relaxed cadence, these would happen over a three year cycle with annual minor analysis conducted across the business.

Mature organization's would continue a cycle of improvement (note – improvement does not mean more $$ or more security / regulation, but is improvement based on the internal and external factors and I certainly see it ebbing and flowing)

Court settlement that impacts the analysis and balance for information security & compliance:

Organization's historically had to rely on surveys and reading of the tea leaf financial reports where costs of data breaches and FTC penalties were detailed. These collections of figures showed the cost of a data breach anywhere between $90-$190 per user. Depending on the need, other organizations would baseline costing figures against peers (i.e., do we all have the same # of security on staff; how much of a % of revenue is spent, etc…).

As a result of a recent court case, I envision the below figures to be joined in the above analysis. It is important to consider a few factors here:

  1. The data was considered sensitive (which could be easily argued across general Personally Identifiable Information or PII)
  2. There was a commitment to secure the data by the provider (a common statement in many businesses today)
  3. The customers paid a fee to be with service provider (premiums, annual credit card fees, etc.. all seem very similar to this case)
  4. Those that had damages and those that did not were included within the settlement

The details of the court case:

The parties' dispute dates back to December 2010, when Curry and Moore sued AvMed in the wake of the 2009 theft of two unencrypted laptops containing the names, health information and Social Security numbers of as many as 1.2 million AvMed members.

The plaintiffs alleged the company's failure to implement and follow “basic security procedures” led to plaintiffs' sensitive information falling “in the hands of thieves.” – Law360

A settlement at the end of 2013, a new fresh input:

“Class members who bought health insurance from AvMed can make claims from the settlement fund for $10 for each year they bought insurance, up to a $30 cap, according to the motion. Those who suffered identify theft will be able to make claims to recover their losses.”

For businesses conducting their regular analysis this settlement is important as the math applied here:

$10 x (# of years a client) x client = damages .. PLUS all of the upgrades required and the actual damages impacting the customers.

Finally

Businesses should update their financial analysis with the figures and situational factors of this court case. This will in some cases reduce budgets, but others where service providers have similar models/data the need for better security will be needed.

As always, the key is regular analysis against the internal & external factors to be nimble and adaptive to the ever changing environment. While balancing these external factors, extra vigilance needs to ensure the internal asset needs are being satisfied and remain correct (as businesses shift to cloud service providers and through partnering, the asset assumption changes .. frequently .. and without any TPS memo).

Best,

James

 

How to do DevOps – with security not as a bottle neck

As in any good morning, I read a nice article written by George Hulme that got me thinking on this topic; that lead to a discussion with colleagues in the Atlanta office, and resulted in me drawing crazy diagrams on my ipad trying to explain sequencing. Below I share my initial thoughts and diagrams for consumption and critique to improve the idea.

Problem StatementIs Security a bottleneck to development and likely more so in a continuous delivery culture?

Traditional development cycles look like this …

  1. A massive amount of innovation and effort occurs by developers
  2. Once everything works to spec, it is sent to security for release to Ops
  3. In most cases security “fights” and in a few cases fails the release to ask developers to patch (patching itself implies not a real solution but a fix and not a solution), and then
  4. a final push through security to Ops
There are many problems here, but to tackle the first myth – security here is a bottleneck, because that is how it is structurally placed in the development cycle.
On a time (man days; duration; level of work) basis, security is barely even present on the product develop to deploy timeline – this is akin to thinking that man has been on Earth for a long time, but is a mistake when taken relative to the creation of the planet.. but I digress
Solution In a continuous develop environment – iterate security cycles

As Mr. Hulme highlighted in the article, integration of information security with development through automation will certainly help scale #infosec tasks, but there is more. Integrate through rapid iterations and a feedback (note the attempt at coloring of the feedbacks by infosec & ops, joined and consistent with the in-flight development areas)

While high level, I find that as I work with leadership within organizations – clearly communicating and breaking out the benefits to their security posture; ability to hold market launch dates, and clarity for technology attestations is equally as important as the code base itself. Awareness and comprehension of the heavy work being done by developers, security, Ops, and compliance audit teams allows for leadership to provide appropriate funding, resources, governance, monitoring, and timelines (time is always the greatest gift).

How have I developed my viewpoint?

I have been spending an increasing amount of time these past few years working with service provider organizations and global F100. The common thread I am finding is the acceleration and dependecy of third party providers (Cloud, BPO, integrated operators, etc..) and in the process have had an interesting role with continuous delivery and high deploy partners. Specifically, my teams have audited and implemented global security compliance programs of those running these high deploy environments, and sought to establish a level of assurance (from the audit public accounting perspective) and security (actually being secure and better sustainable operations).

Best,

James

 

Tactical Issue: How to handle Executive Assistants and #infosec

Problem Statement: How have you seen companies handle executive assistant's access to C-level and VP accounts? Our executives heavily rely on their admins but don't realize the risk when we go to single sign on.

How does this apply to you?

As organizations grow and expand there is a sensitivity of access to data, and especially if businesses are in an M&A mode, there is much higher sensitivity at the executive level. Data protection and limitaiton of access is dependent upon the specific instance.

If an organization, such as the question above, allows (and most do) admins / executive assistants to access senior leadership files then what do you do?

  1. Trust explicity, same credentials and access as the executives they represent
  2. Trust per instance, same credentials but institute specific 'special handling protocols' for items that are too sensitive
  3. No trust.. this is unlikely to succeed unless there are no admins, given the sneaker-net still works beyond many other cultural and personnel inherent issues at large here

Solution Concepts:

there are many ways to approach this problem statement, but a few responses to each of the above (I'll reference each bullet number above for simplicity)

  1. Admins/executive assistants go through the same background security vetting as their assigned executives, and the systems themselves have escalated monitoring. Essentially deep background checks, ongoing personnel monitoring, and better system security for the end-user devices.
  2. By far the easiest – special handling protocols for executives would be the initiation of secure platforms, encrypted containers, electronic document handling authenticated to specific systems, even project code names, etc ..
  3. These do happen, but definitely require the culture to accept the extreme firewalling (socially) of discussions and work. Not appropriate for many organizations today.

Final Thoughts:

I spend most of my time designing, implementing, and operating global security programs for businesses… so this tactical question was fun to receive. Working in the details is where life happens, and is proof point for many innovations. Smashing together technology, process, and people is an art .. a journey .. and always unique.

Hope this helps.

James

RSA 2014 – 2 themes from Tuesday

A fresh post in a long while ..

So, after writing for clients and my research being all consuming this past year I am re-focusing time in my day to share observations and thoughts. Why? Quite simply I learn more when I write; share, and get feedback then living in an echo chamber. How will this benefit the world/you.. simple, you will share in the knowledge I gain from sweat and toil and learn through the same iteration cycle as I. I also will begin focusing my posts on my dedicated portal for such topics and (attempt) to limit my writings here to on-topic. I hope you will continue to join me on the new(er) site and the other media platforms.

Also, I am trying to aim for a high iteration format instead of the long form of old. Meaning, shorter (I hope) posts that are succinct on ideas without the typical pre/post writings that are common in most write-ups. My ask, please share, challenge, and seek to understand my perspective – as I will do for you.

Onward then …

Today is RSA day and 2 themes that are evident and of most importance based on several large client discussions; analyst discussions; and a few researchers I had the privilelege of speaking with today:

  1. Communicating the WHY is of paramount importance today (WHY are we spending security budgets on X assets? WHY are our practices for managing enablement between development, operations, and security out of sync? Etc..)
  2. Passive Resistance (my phrase, but after a day of hearing about NSA, RSA, Crypto architects disowning responsibility for operational deployment, and “enable” privacy, security this is where I landed) is the idea of persons and organizations being asked to respond to these threats in a manner that impings their capabilities. There are many problems with this stated position, but I shall leave that for another day and your own pondering

Businesses must address #1 and be extremely cautious with #2, and #2 will be a heavy discussion during my RSA session on Thursday for all that are present. If you are unable to attend, I will as usual post my work and research in note form online. Looking forward to learning and expanding my thinking with you.

Best,

 

James

 

Rethinking what security controls you MUST address

In 2008 I wrote a book, partially on the premise of cross mapping regulations together in a manner to build a common control framework for enterprises. The genius here was to address all requirements placed upon the business to meet their unique security and regulatory footprint. The more and more I work with senior leadership of businesses and security professionals I recognize there is a gap. The security professionals pushing for tighter and richer security safeguards, and the business seeking sales.

Upon reflection I realize that there is a gap in the broader approach and a blind spot that I and others likely have in enterprises, and that is the customer requirements.

Specifically, the cross mapping I proposed is correct but it did not go far enough, and from my analysis nobody goes far enough. Therefore I would propose enterprises and security compliance programs in general consider expanding their programs to include Market requirements.

Screen Shot 2013-01-09 at 3.47.49 PM

The mapping would be from customer requirements (such as SEC, IRS, and specific industry best practices) to the security controls of the business itself. This would influence and ultimately increase the security of the service. In addition, sales blockers would be removed and ongoing associated costs with maintaining accounts would equally be reduced.

A common statement / question: What are all the things we need to compliant with in the world?

Corrected question: What do our clients need to be compliant with when using our services?

(the first question absolutely must be understood and ideally is a known variable, so this corrected question is the evolution of thought and the program itself)

A shift in my thinking over the past year, and one I hope can be further debated and evolved.

Kind regards,

James DeLuccia