Compliance mandates do not make up your enterprise security program (PCI, SOX, GLBA, etc.. included)

A challenge for large businesses is addressing their own information security needs to manage their operations in a manner that allows them to be resilient and adaptable in an ever competitive market place.  Each organization is different – the risks and the needs to mitigate.  A painful evolution of the past decade has been the mistaken direction organizations have taken to build / address singular compliance instances.  Meaning, organizations develop programs to address single compliance requirements – vendors, SEC, industry, etc …  Not that these are not important, but a natural effect of this is the perception that the security “controls” (even the word doesn’t lend itself in the right non-audit light) are there to achieve compliance.

The mistake is achieving compliance to compliance requirements alone.  There is a gap in the business’ OWN needs.  Over the past year I have spoken on this topic publicly at conferences and my book  has a huge focus on aligning and establishing business requirements cohesively.

To elaborate on the graphic … the CxO office must be aware and share their strategy – typically easy to find, as I generally begin building these programs from the 10-k reports over last two years.  These feed the information security program elements and form the decision framework against all technology, security controls, risk frameworks, sourcing considerations, recovery timelines, etc…  In addition, the compliance elements must be addressed – but with the understanding these are risk transfer activities by third parties.  Not to be the basis of the enterprise program, but a singular consideration.

The capability of the organization to address market competitive requirements is based upon the proper balance.  Here you can see the target is 85% of the program is made up by the business’ own innovative and market driving / supporting activities.  15% of the program to meeting these ‘license to operate’.

The takeaway is to challenge your organization’s singular managed compliance initiatives and a deep dive on budget alignment to business revenue generation.  There must be rationalization to the safeguards to make the business efficient and effective – that includes safeguarding and enabling the business to conduct business, everywhere.

Thoughts?  Challenges?

James

Symantec’s 2010 State of Enterprise Security

The 2010 survey is complete and I have dug through and have the following thoughts to offer.  First off though – thank you to Symantec for making the information so readily available.  They have provided the slides via slideshare, the PDF report, and the press release.  My efforts below are not to reproduce the report, but instead to carry the ideas and findings one step further.  In addition, my hopeful final goal is to challenge the report and certain aspects of the findings in the spirit of relative context.

“Enterprise security is IT’s top concern” – when compared to the other options listed in the survey I do not find this impressive, as digital threats are the most direct concerns.  On page 5 of the report though the detail about 94% of businesses expect to change their cyber security efforts and 48% are planning major changes is impressive.  That highlights the intelligent repositioning of enterprises and the continued focus on remaining engaged with the threats and not passive.  This also likely has correlation to businesses increased focus on deploying greater information technology throughout the business, and throughout the expanding consumer / business markets.  Major changes are a natural result in these cases.

“Enterprises experiencing frequent attacks” – 75% of business experienced a cyber attack within the past 12 months is a significant figure.  If a cyber attack is considered an event that “activates” the incident response teams and / or forensic groups that is a significant cost and concern.  Attacks, as every firewall administrator and Grandmother who gets a virus, occur non-stop online, so it is important to qualify and scale these attacks by crtiicality.  This is an important fact in the survey, but more important in the enterprise.  The help desk of most organizations is ably suited to respond to malware infections and queuing systems for remote desktop configuration refreshes.  For situations that involve a lose of trust for a specific system resulting from extended malware infection, odd behavior, or log evidence of unauthorized access – these systems should activate the appropriate resources to address these risks directly.

Most problematic IT initiatives from a Security standpoint:

• Infrastructure-as-a-Service
• Platform-as-a-Service
• Server Virtualization
• Endpoint virtualization
• Software-as-a-Service

The common thread of these initiatives is the abstract nature of the actual computing system.  Whether virtual or processed within a distributed computing environment the necessity to translate information security safeguards is not automatic.  In fact, most conversions into these initiatives highlights the inherent weaknesses that are present in the existing infrastructure, but were addressed through compensated / ad-hoc controls.  Therefore, while difficult the net risk posture will improve.  Another perspective is the organizational shift that occurs when network/system operators become service delivery specialists.  This cultural swing away from computing system management to application procurement and service management requires careful attention, training, and tight feedback cycles.

The report concludes with some strategic recommendations that are worth reviewing and confirming are currently in operation.

Overall the statistics and findings are in-line with concerns and challenges enterprises have been addressing last year.  The survey provides a nice update and is certainly useful.  As in any survey, consider the source and recognize that your environment is unique.  Such individuality of computing systems by its very nature requires a custom and reflective approach to managing risk and security within the organization.

Best regards,

James DeLuccia

Audits of the future must enrich and enforce your IT Strategy

Yesterday I presented with Prat Moghe, the founder of Tizor, on the challenges faced by businesses.  A broad topic, but we were primarily focused on the database administrators and those charged with the controls in place.  While we go into great detail on the difficulties of manually evaluating controls in a checkbox manner, and I highlighted specific concerns on twitter (#nzdc) a more basic harm and cause emerged – most organizations have been approaching audits and controls in the wrong manner.

• First off – consider what is the point of an/the audit?  This answer may result in one of two prime responses:
• The point is the Federal government and our industry cohorts don’t trust how we’ll do business, so we have to demonstrate particular safeguards and operating integrity base points to keep our operating license.
• The second maybe, management is overseeing a massively complex organism, and only through third party verification and evaluation shall we know what in the world is right / wrong / or a complete waste.

Now both responses are right and there is nothing wrong with being more polar on any of these points, but there is a severe cost.  Taking an audit as a checkbox approach means that the INTENT is not being satisfied (The classic Compliance does not equal Security is a prime example), and one should not be passing such audits – but that is not the focus of this post.  Furthermore, conducting an audit in a manner where one simply responds and ties loosely together the controls for the sake of “the audit” every year translates to a complete loss in the possible savings that can be achieved from such events.
There is not doubt, audits are time consuming and resource intensive, and it is similar to a High-Stakes test.  The difference is when you take a high stakes test and then take it again, you reuse the same information and have learned from the prior experience.  Too often organizations do not have those lessons carried forward, because they are treated as one-time events and not integrated.

To be sure – auditors vary in skill, standards stretch the spectrum from prescriptive to principal based, and management / company culture severely impact how these evaluations are viewed and addressed.  It is also true that without taking these lessons beyond the hour the audit occurs errors, expense, time, and resources, will forever and continually be lost.

Best Practice Advice:

Consider your audit plan for the year and how they can fit with your IT strategy and IT governance function as a part of the company governance program.  Draft a charter that reflects how these audits work toward the companies goals, and how each audit enforces and ENRICHES the business operations.

Thoughts and contributions?

James DeLuccia IV
CIA, CISA, CISM, CISSP, CPISA, CPISM

Check out the webinar I mentioned above here, it shall be archived and viewable at your leisure.

Devolution, Forrester, Synergies, and reducing TOC

Devolution was pitched yesterday by Forrester Researcher Andrew Jaquith – on a Webcast entitled “Effective Data Security: No Forklift Required”. I quite enjoyed the presentation and thought the concepts were timely and consistent with what have been needed in the market. In fact, I spoke on this last year at the RSA Conference 2008 and dedicate a portion of my book IT Compliance and Controls on this concept. However, my focus was on synergies across business controls and operation targets and less upon the DLP type challenges Forrester was addressing. The Forrester Research provided good details into the expected shifts in budget, but not the shift in how IT functions and security safeguard requirements shall evolve in these situations.

There is tremendous value to be gained from current technology deployments, and tremendous waste occurs when organizations do not communicate. While that is not a very insightful statement one should consider – Organizations that require their technology to met 99.9xx% uptime and undergo several audits on privacy / pci / sox / IFRS / FISMA / HIPAA that do not align these underlying technology components are wasting money and time. Specifically, according to my research and field experience these institutions tend to be more INsecure despite the heavy focus on meeting audit deadlines and customer SLA. To save on budget, regardless of the state of economy, find synergies and move forward with better security and less service problems. A key litmus test – does your staff have to respond more then once for an audit – if so, this is a symptom of wasted effort and untapped budget flexibility.

During the Forrester call there were several great questions posed. If you are able to attend future Research calls I would advise posting questions to ensure maximum value.

Thoughts and Comments?

James DeLuccia IV

**Speaking at RSA 2009 on the Payment Card Industry, April 22nd 2009**