7 THINGS Every CEO Should Know
About Information Security Policy and Process Reign Supreme
The Costs of Ignoring Security
Emergence of the Borderless Enterprise Security is a Boardroom Issue Traditional Security No Longer Works
Increasing Insider Threats
Well-Organized & Focused Cybercriminals
7 Things Every CEO Should Know About Information Security Unless you’ve been living under a rock, you
If that sounds like your organization, then keep reading. Hopefully, once you’ve
probably realize what a hot-button issue
finished this ebook, you’ll see how important your role is in maintaining a secure
information security has become for the modern
environment, why it isn’t a good idea to cross your fingers and hope the tech guys
enterprise. Maybe you’ve already mobilized a C-
have everything under control and why compliance with security regulations won’t
level security executive to develop a comprehensive
solve all of your problems.
security program, maybe you’ve just asked your CIO to get a handle on things, or maybe you’re just
As a CEO, I understand the complexities and nuances of leading an organization
fantasizing that security incidents can’t possibly
to profitability and success. And as an expert in the security industry, I also have
happen to a company like yours. Either way, you
a clear picture of how the very best businesses protect themselves. These two
probably recognize the magnitude of trouble companies face when a breach,
perspectives put me in a good position to talk to you—CEO to CEO—about the
caused by their practices, hits The Wall Street Journal. And like many CEOs, you at least
most important components of information security and why you should know
have an inkling that your company has room to improve its security practices.
about them. There’s no marketing mumbo-jumbo here, just straight talk about a topic that can very well impact your bottom line and the ability for your business to
Currently, there exists a troubling disconnect between information security personnel and top decision-makers within the enterprise. According to last year’s
deliver its product to customers.
Ernst and Young global security survey, almost one-third of information security
Pat Clawson
professionals never meet with their board of directors, and most meet less than
Chairman & CEO, Lumension Security™, Inc.
once a quarter with their corporate officers and business unit leaders.
Table of Contents
1. Security is a Boardroom Issue 2. The Costs of Ignoring Security 3. Well-Organized & Focused Cybercriminals 4. Increasing Insider Threats 5. Emergence of the Borderless Enterprise 6. Traditional Security No Longer Works 7. Policy and Process Reign Supreme Conclusion: The Security Role of the CEO
7 Things Every CEO Should Know About Information Security
1. Security is a Boardroom Issue Contrary to what some CEOs may think, information security is absolutely a
Clearly, your peers are standing up and listening because their feet are being held
boardroom issue. Even though it sometimes may seem as if security issues end up
to the fire by regulators. In some ways, this can be a good thing. It has definitely
being mired in technical details, it is clear that ignoring them altogether can impact
helped bump up overall awareness of security topics amongst the C-suite. As one of
the bottom line, the brand and shareholder value. These aren’t technology issues;
my customers puts it, his department is starting to finally get the input he believes
these are core business issues.
information security personnel should have.
If a business chooses not to set security policies, or sets them so loosely that they
“In the last few years, I’ve started to see a change. Traditionally, we’d be ignored,”
If a business chooses not to set security policies or sets them so loosely that they suffer a highly publicized attack, it could find itself ostracized by its largest customers and its partners.
suffer a highly publicized
he says. “Even if you’re a C-level person, you never really got the inclusion that the
attack, it could find itself
rest of the C-suite did. That’s starting to change. I find my department becoming
ostracized by its largest
included in more business decisions. Anytime people are looking to do their due
customers and partners.
diligence in acquisitions and mergers, we’re consulted.”
These types of risks are boardroom issues and they should be discussed by you and your advisors, no matter what their technical background
64% of corporate executives reported compliance as the principal information security driver.
Lumension Security’s Chairman and CEO Pat Clawson sits down to provide executive-level insight into effective and data-centric corporate security.
looks like. But compliance as a security driver is a double-edged sword. According to John
Currently, most executives only focus on security in relation to complying with
Pescatore, analyst with Gartner Research, executives and board members should not
security regulations such as HIPAA, Sarbanes-Oxley and PCI Data Security
be so quick to throw their security spend on compliance efforts.
Standards. In last year’s 10th annual Ernst & Young global information security survey, approximately 64 percent of corporate executives reported compliance as the
“Really, it is dangerous to hang your hat on compliance as a justification for
principal information security driver.
everything,” Pescatore says. “From a boardroom point of view, we think security should be protection-driven, not compliance-driven.”
Guidance for Boards of Directors The way he sees it, compliance fines pale in comparison to the cost of an actual
Executives need to oversee a security program that meshes the security needs of their
security incident that can occur when proper precautions are not put into place. If an
specific organization with the demands of regulators to prove security. They need to
otherwise compliant organization misses a certain piece of the security puzzle, not
recognize that the organization has an ultimate responsibility to secure its data and
included in “XYZ” regulations, and suffers a “denial of service” attack, then it stands
that of its customers.
to lose a lot more in lost revenue than if it had been secure but non-compliant. CEOs really need to eliminate the mentality that being compliant with regulations means their organizations are secure. Compliance is a measurement against regulatory standards, not necessarily a measurement of overall security. Look at the recent breach at New England’s Hannaford Brothers grocers. In that case, the company claimed that it was PCI compliant when the incident occurred. Even if this claim was true, compliance didn’t shield Hannaford in the court of public opinion—
Executives need to oversee a security program that meshes the security needs of their specific organization with the demands of regulators to prove security.
and it won’t shield your organization if something similar happens to you. “What I tell CEOs is make sure your security program is protecting your customers In my opinion, there is definitely a wide-scale wake-up call that still needs to happen
and protecting your business. Then give the auditors what they need for you to
at the executive level in regards to this security compliance misconception.
demonstrate compliance,” Pescatore says. “Decide what controls are needed to protect the business and customer data and then add some additional reporting functions that demonstrate compliance for all of them.” This is not only a safer and saner way of doing things, it is usually cheaper to boot.
“To achieve effectiveness and sustainability in today’s complex, interconnected world, security over information assets must be addressed at the highest levels of the organization, not regarded as a technical specialty relegated to the IT department. Implementing effective security governance and defining the strategic security objectives of an organization are complex, arduous tasks. They require leadership and ongoing support from executive management to succeed. Developing an effective information security strategy requires integration with and co-operation of business unit managers and process owners. A successful outcome is the alignment of information security activities in support of organizational objectives. The extent to which this is achieved will determine the effectiveness of the information security program in meeting the desired objective of providing a predictable, defined level of management assurance for business processes and an acceptable level of impact from adverse events.” Information Security Governance: Guidance for Boards of Directors and Executive Management, IT Governance Institute, 2006
Cutting the Cost of Compliance without Compromising security
2. The Costs of Ignoring Security Many of the most publicized security failures in recent years can be attributed to
proceedings can put a big dent in the bottom line. Add to that the cost of litigation,
short-sighted leadership decisions to save a few bucks on security in the short term.
regulatory punitive fees and the cost of consultants to perform an investigation of
Take TJX’s (TJ Maxx) record breach of 94 million customer records—it all came as a
the breach and it becomes clear why breaches cost so much. The shame of it all is
result of an upper level management directive to wait on upgrading wireless security.
that once this money has been laid out, the new scrutiny you’ll face will force your company to spend more on the security program you should have implemented in
Why not spend that money up front and avoid all of those millions in breach costs?
the first place. Why not spend that money up front and avoid all of those millions in breach costs? The largest cost associated with ignoring security, however, still may not be completely quantifiable. The loss of brand equity is a huge risk posed by lax security practices, one which many CEOs need to address. Brand is the bedrock
As a CEO, what risk to the bottom line are you willing to assume for the sake of
upon which most major enterprises build. When that bedrock cracks, many
saving a few dollars in the coming years’ budgets? In TJX’s case, they’ve paid
businesses have a hard time recovering.
hundreds of millions of dollars as a result of the breach—many, many times the amount it would have cost to upgrade their technology and practices.
Pat Clawson sits down to discuss the biggest compliance challenges and how organizations can effectively address compliance.
Remember ValuJet? The high-flying discount airliner had a quality brand in the mid1990s until one of its jets crashed into the Everglades in 1996. The disaster proved
Last year, one of the security gurus with Forrester Research took a quantitative look at just how much poor security practices were costing enterprises. Analyst Khalid Kark found that the average security breach can cost a company between $90 and $305 per lost record. The financial effects can be staggering for a company with millions of customers. Kark used a number of very real factors to come up with this projection. First of all, data breach legislation in most states now puts companies on the hook to disclose
...they’ve paid hundreds of millions of dollars... many, many times the amount it would have cost to upgrade technology and practices.
any data breach to those affected. Just the sheer cost of going through notification
What I wish my CEO knew about security… so damaging to the ValuJet brand that the company had to buy AirTran for
In a 2006 study conducted by the CMO Council, over 50 percent of consumers said
its identity and completely purge the ValuJet brand from its corporate memory.
they would either strongly consider or definitely take their business elsewhere if their personal information were compromised by a business. Even more disconcerting,
Granted, a large security breach will rarely result in the loss of human life. But
more than half of business executives said they would either consider or would
the ValuJet incident still offers a stark lesson in how corporate negligence can
recommend taking their business elsewhere if a business partner suffered a security
destroy a brand.
breach that compromised their corporate or customer data.
If a large bank is found to be at fault for not protecting its data assets, and customer
Interestingly, the CMO Council study also found 60 percent of marketers believe that
information is spread around the world, the event will hit the news. In turn, that
security and IT integrity offer an opportunity for brand differentiation. Yet 60 percent
Clearly, executives who choose to ignore security are not only gambling their company’s brand and good name, they’re also losing an opportunity to differentiate themselves from the rest of the crowd.
organization
of these same marketers said security has not become a more significant theme in
will lose
their company’s messaging and marketing communications.
brand equity, lose existing
Clearly, executives who choose to ignore security are not only gambling their
customer
company’s brand and good name, they’re also losing an opportunity to differentiate
loyalty, and will
themselves from the rest of the crowd.
“The most difficult part of being a CSO or CISO is getting CEOs and CFOs to understand that IT security is a part of life, just like fire and flood insurance. You hope you never need to use it, but if you don’t have it and you have a fire, you can lose everything. If you don’t have a strong information security practice in place, the same thing can happen. Support is key, and if you work with your CEO and help him or her understand what value IT security has on the big picture, this will go a long way in gaining the support of different business divisions. If you educate everyone from the top down, it helps tremendously.” Richard Linke, Vice President and CSO for Global Security Management Inc.
have a harder time drawing new customers with its nowdamaged reputation. The
same goes for health care companies, insurance companies, big retail chains, you name it.
Cybercrime Economy
3. Well-Organized & Focused Cybercriminals CEOs really need to stop deluding themselves and understand that their information
The enormous payouts from such antics have driven cybercriminals to dial up their
is worth being stolen. If your data is poorly protected, your business is essentially
risk thresholds and their ingenuity levels. “Cybercrime today is targeted, it hits
just setting out gold bars in an unprotected window so that any opportunistic bad
deeply, it tries to be stealthy, rarely making the news, and often those attacks on a
guy can come and take what he likes. Some of the “gold bars” are different for each
damage-per-incident level are 10 to 50 times higher than the costs of things like the
business–perhaps secret recipes for food manufacturers, blueprints for engineering
Slammer worm and other high-profile attacks we used to see,” says John Pescatore,
firms, programming code for software developers. Other “gold bars” transcend
analyst with Gartner Research. “It’s way higher than what a simple virus used to cost
industry verticals. Every business risks confidential information about partners,
us.”
sensitive customer data and potential sales leads when they don’t shore up security. In 2007, the U.S. Government Accountability Office estimated that cybercrime costs The cat is out of the bag that all of these data tidbits are worth a considerable
the economy $117.5 billion a year. And yet, I still hear CEOs ask, “What would they
amount to competitors and identity thieves—most modern hackers already realize
want with my organization? They’ve got better targets to attack. It’s not like I’m a
this and are well on their way to figuring out how to steal yours without you even
Fortune 500 company.”
knowing it. That thinking is all wrong. The thing is that most hackers are smart enough to See, it used to be that the bad guys in cybercrime were simple script kiddies, just
recognize that smaller companies don’t spend the kind of money and effort securing
in it for the rush of defacing company property and getting their props from news
their information that the big boys do. If you aren’t spending on security, then you
reports. Their attacks were meant to be visible, so it was very clear when they
become the better target to attack.
occurred. But money changed all of that—hackers saw a dollar sign attached to the technical feats they could accomplish and they switched gears. Nowadays, the crooks
Think about it. If I’m a hacker planning to make some money by selling personal
are trying to fly under the radar, sneaking in to pillage data stores undetected so they
identifiable information to an identity thief, who would I rather attack? A large
can do it again and again to the same target-rich environments. In poorer Eastern
multinational bank that likely has billions of dollars invested in information security?
Bloc countries, hacking corporate systems is a job for some people. They go to work
Or a small credit union that probably hasn’t fully secured its systems? It’s like asking
and hack American companies for other companies or for well-organized crime rings
a burglar whether he’d rather sneak into a house with unlocked doors or crowbar his
perpetuating identity theft.
way into a deadlocked home. He’ll pick the unlocked house every time.
Cybercrime has grown into an extremely mature black market with major players often employing more sophisticated business methods and partnerships than many legitimate businesses. Tom Espiner with CNET News.com wrote a particularly illuminating summary of the cybercrime ecosystem in his article, “Cracking Open the Cybercrime Economy,” published Dec. 14, 2007: “Hackers can buy denial-of-service attacks for $100 per day, while spammers can buy CDs with harvested e-mail addresses. Spammers can also send mail via spam brokers, handled via online forums such as specialham.com and spamforum.biz. In this environment, $1 buys 1,000 to 5,000 credits, while $1,000 buys 10,000 compromised PCs. Carders, who mainly deal in stolen credit card details, openly publish prices, or engage in private negotiations to decide the price, with some sources giving bulk discounts for larger purchases. The rate for credit card details is approximately $1 for all the details down to the Card Verification Value (CVV); $10 for details with CVV linked to a Social Security number; and $50 for a full bank account. Scammers use a variety of ways to launder cash. Compromised bank accounts can be used to launder funds, or struggling companies can be bribed to turn the money into ready cash. Scammers can find businesses with a debt of $10,000, and agree to pay them $20,000 if they agree to cash out 50 percent of the funds. Dedicated cashiers, also known as “money mules,” can also take up to 50 percent of the funds to move the money via transfer services. Money can also be laundered by buying and selling merchandise on the wider black market. Shipper rings can ship PCs to scammers via intermediaries, which can then be resold.“
Debunking the Most Common Myths about Data Protection
4. Increasing Insider Threats It isn’t just those well-funded adversaries outside the business that you, as a CEO,
It happens all of the time, and in many cases the damages can be in the hundreds
must worry about either. There are also numerous threats much closer to home—
of millions of dollars. In February 2007, it came out that a senior chemist at
literally inside the business.
DuPont stole $400 million worth of data and tried to leak it to a third party. In just a six month period, this trusted employee downloaded about 22,000 abstracts and
According to Gartner analysts, 70 percent of the security incidents that cost
16,700 documents. He was eventually ferreted out by DuPont’s IT staff and taken to
enterprises money involve insiders in some way or another. Companies often spend so
trial for his transgressions—but for every one of those caught there are many more
much time and money worrying about threats outside the enterprise walls they often
who actually get away with it.
forget about the dangers that lurk within. The risks posed by employees and trusted partners can run from out-and-out fraud, all the way down to simple user errors that
As a CEO, I understand that trust
cause system insecurity and open them up to attack. Typically, both are caused by
is an important part of running
lack of controls and poor oversight of employee computer activities.
a business. But I also realize that while I can trust people up to a certain extent, I have to set
The risks posed by employees and trusted partners can run from outand-out fraud all the way down to simple user errors that cause system insecurity and open them up to attack.
boundaries around trust.
...70% of the security incidents that cost enterprises money involve insiders...
Lumension Security’s Senior Vice President of Business Development Rich Hlavka sits down to debunk the most common myths about data protection
Just as a company wouldn’t think twice about auditing the books and doublechecking ledgers, it should be standard practice to keep track of access to valuable data assets and risky computing activities that could cost the business a mint. Too many companies choose not to monitor employee interaction with intellectual property and sensitive data, and eventually pay a steep price for their lack of verification. And even those who choose to monitor general staff forget to watch the
Especially damaging are the cases of intentional theft when employees remain
waters, leaving IT administrators with far more account access privileges than their
unmonitored or have unconrolled access to sensitive data or systems.
jobs require. Besides, even the most trustworthy insiders are capable of triggering a security event that can send a business reeling.
Did you know ? “The insider threat hasn’t gone up; there have always been dishonest employees,”
Does your organization
Pescatore says. “What has gone up, and what the real insider threat is employees
have a way of tracking how
trying to do their jobs using technology that we didn’t first make safe. And then,
information is being copied
oops, information is either accidentally exposed or left open such that a fairly simple
and transported? Does it
cyber attack can get to it. That represents thr majority of growth of insider incidents.”
have a way of protecting
Does it have a way of protecting the data at rest, in motion and in use?
data at rest, in motion and in use? As a CEO, you should at very least know the Some employees may not know they are doing anything wrong. They’re just doing
answer to those questions, because your job very well may depend on it.
what they think needs to be done to do their job. Everyone within the security field has heard of numerous cases of people copying sensitive databases to their mobile
Because employees and trusted partners with access to your information will take
devices and bringing them home from work. It happens every day, and every day
risks if they aren’t aware of them, education plays a big part in curbing insider threat. Education is huge because simply telling errant employees not to do something
Does your organization have a way of tracking how information is being copied and transported?
doesn’t always have the desired effect. People sometimes justify bad behavior when they are under-the-gun; they think, “I’ll just do it this once,” or “They didn’t really
Most insider events are triggered by a negative event in the workplace. Most perpetrators had prior disciplinary issues. Most insider events were planned in advance. Up to 87 percent of attacks didn’t require advanced technical knowledge. Approximately 30 percent of incidents happened at the insider’s home through remote access. From the Insider Threat Study conducted by the National Threat Assessment Center of the U.S. Secret Service and the Software Engineering Institute at Carnegie Mellon University, 2005
mean it when they said not to do this.” It is the job of your information security department to educate users and make sure they understand why taking certain actions puts the business at risk. And it is your job as the CEO to back up the Chief Information Officer (CIO) and to really emphasize the stakes at hand. Often the only
that your employees do this, they are putting your organization at serious risk. If that
way employees will listen is if the directive comes from the top, so give your infosec
device is lost or stolen, you face a serious breach with all of those costs I mentioned
personnel some support.
earlier. Education can’t do it alone, however. The only way to truly keep insiders to their word is through automated policy enforcement, smart monitoring technology and effective use of account restrictions.
5. Emergence of the Borderless Enterprise Many business-side leaders don’t fully appreciate all of the holes and points of
Plus, as I just mentioned, you have got lots of potential “bad apple” employees who
weakness that exist in their network today. They figure that after green lighting
are automatically allowed access inside network boundaries. It has gotten to the
the CIO to spend buckets of money on firewalls and other network defenses, the
point where there isn’t an impenetrable border around the enterprise anymore.
Mobile Devices — The New Mobile Threat
organization should be pretty well fortified against assault. The problem is that since that money has been spent, the enterprise has changed and the CIO has been forced to change the technology that supports the business. In this age of super-connectivity, they’ve been asked to provide more ways to give employees and partners access to information. In the process, insecure systems that were never meant to be
In this age of super-connectivity, CIOs have been asked to provide more ways to give employees and partners access to information.
Nearly 75 percent had off-line devices lost or stolen in the last two years and of those 42 percent involved the loss of sensitive information.
connected to the Internet are now online. Information portals
Unfortunately, most businesses have been unable to adjust their security programs
are poking holes in the network
to account for this borderless enterprise. In a study of 735 CIOs conducted by the
infrastructure all over the place,
Ponemon Institute in 2007, more than 60 percent of them said their organizations
data is leaving the network on
still place more importance on network security issues than any other. Approximately
portable storage devices, and
62 percent said their off-network controls are not “rigorously managed.” And yet,
mobile devices are enabling
62 percent said that they have a lot of unprotected confidential information on off-
people to move outside the
network systems. This assumption of risk has lead to a much higher rate of incidents
network with sensitive data while
involving those off-line devices—nearly 75 percent of the managers surveyed had one
coming back onto the network
of these devices lost or stolen in the last two years, and of those, 42 percent involved
with infected systems.
the loss of sensitive information.
Lumension Security’s Vice President of Security Technologies, Chris Andrew, sits down to discuss how security has moved beyond the endpoint with the convergence of business and personal tools.
10
What I wish my CEO knew about security… These numbers aren’t meant to scare you. I’ve brought them to light so that you understand why your CIO keeps knocking on your door to talk about data protection— these days, that is the name of the game in security. Executives today must recognize that security is no longer about fortifying the network, it’s about protecting the data. We’ve already established that the crooks aren’t looking to simply break your network. They want to get their grubby little hands on your data.
Executives today must recognize that security is no longer about fortifying the network, it’s about protecting the data. These bad guys are no dummies—they know how to exploit holes in the network and how to take advantage of offline systems and endpoints in order to gain future access to your data stores. If the endpoints and the data are protected, it becomes a lot harder for the criminals to steal information. Your technology leaders must be able to satisfy the needs of your staff and partners to access appropriate data while maintaining appropriate control and monitoring of that information to ensure it remains safe. In the end, organizations need to make sure they’re
“For me, it’s got to be the application level security and code-security. In our company and a lot of companies, security is still seen as an IT process, you do some IT things, development does their things. Making the argument that code security, revision control are so absolutely important that often times they can be the invalidation of all the controls that I’ve put around things. If someone screws up and makes a code error, it’s now dumping your databases to the Internet. So, that’s going to become one of the next hot items – database and web application security in multiple ways. Getting some kind of insight into your code’s security is very important. It’s not being properly communicated by anyone at this point. Mostly because people don’t have a hard grasp of the application threat landscape. There are a few people who understand it, and to my knowledge, they work for their own companies. They’re independent contractors. They’re not convincing CEOs that that’s important. A lot of the other people out there just haven’t gotten it yet.” William Bell, Director of Security for ECSuite.com
not giving away too much free access at the expense of the company’s well being.
11
6. Traditional Security No Longer Works So now that the climate has changed and we operate within a borderless enterprise,
Executives must have their technical staff focus on the squishy center that exists
it is imperative for company and technology leadership to realize that the security
inside that perimeter exoskeleton they’ve built up over the years. Otherwise, crafty
model they’ve depended on for so many years is broken.
bad guys are going to attack from the inside out.
Simply installing antivirus and firewall perimeters no longer helps businesses
Think about it, with all of your employees demanding connectivity online and
effectively defend themselves. There are too many ways around the network
online portals directing customers and partners to data from the outside, there
perimeter. Those well-funded criminals I already talked about are using clandestine
are loads of little back doors leading directly into networked data stores. And if
How to Make Whitelisting Operationally Efficient & Manageable
code that cannot be detected by mass-marketed antivirus software, that only offers protection from known attacks. That’s not to say that these older technologies no longer have a place in the enterprise. They still do a reasonable job protecting enterprises from old attacks and act as a good, existing first layer of defense. “The real key is figuring out how to make the perimeter security less expensive and then be able to deal with where the threats are starting to bypass the traditional forms of security,” says Pescatore, “because there are new forms of attacks and there
Why attack the network directly when I could simply get an employee to visit an infected website that will load a Trojan onto their system and will grant me access into their system and into wherever it is connected?
Lumension Security’s Senior Vice President of Americas, Matt Mosher sits down to discuss the advancements in Endpoint Security with Operational Whitelisting.
are always these waves of old attacks that come back.” We recently had a customer say to us, “I can’t tell you how many of my peers find
I’m a bad guy, why would I try to go through the fortified front door when I can
it easy to fund and implement perimeter security, but find it harder to do so for the
just waltz through the back door and ride the wave of connectivity directly to your
needed internal security.”
most valuable data? Why attack the network directly when I could simply get an employee to visit an infected website that will load a Trojan onto their system and will grant me access into their system and into wherever it is connected?
12
Vulnerability Management in a Web 2.0 World If you have nothing to prevent that, they’ve already won. They’re establishing an outbound connection right back to their system which means you’re toast and your firewall means nothing. Businesses who have recognized the death of security as they once knew it have kept their protection programs up-to-date by shifting focus on areas such as internal network security and monitoring, endpoint security and configuration management. Most importantly, the most successful security practitioners have begun to supplement the old guard in technology with proactive security through whitelisting. Unlike the traditional method of blacklisting the “known bad” programs and application, whitelisting only lets the “known good” execute within the enterprise environment.
“Both the threat environment has changed and our priorities have changed so that we really need to get into protecting the information itself,” Mogull said. “So that’s where the concept of information-centric security comes from. Which is why people are saying ‘Why don’t we look at the tools and techniques we need to protect the data and not just protect our networks?’” - Rich Mogull, Securosis, from March 2008 Baseline Magazine article.
Senior Director of Solutions and Strategy, Don Leatham, sits down to discuss Vulnerability Management challenges in a Web 2.0 world, and how to defend against these threats.
13
7. Policy and Process Reign Supreme One of the real dangers of working with technical executives is that some of them
As in many other aspects of the business, tools support a solid foundation laid by
tend to fall so completely in love with certain technologies that they fail to remember
effective policies and processes. It is your job as the head honcho to guide your Chief
their overarching goals. This particular malady infects a lot of people in security, who
Information Security Officer (CISO) to make sure he or she isn’t using technology as
unfortunately focus on buying and implementing tools they view as a panacea.
an ineffective crutch.
As a CEO, you probably already know that there’s no product in the world that can
“So if every time there’s a problem and the only thing your CISO is suggesting is
completely solve a complex business problem. It is no less true for information
technology, you should poke ‘em with a stick,” Pescatore says. “You should say, ‘Wait
security than anything else in the business.
a minute, where’s the process change or the other things that always have to go with
“...we have to set up a security policy that finds the right balance between overreacting and exposing your system to any and every hack.”
technology to make it work?’” These “other things” need to include risk assessment, standardized procedures, boundary setting around what employees should and shouldn’t be doing with systems and data, and also setting baselines on how systems are configured. From there, the technology can monitor and enforce all of those policies and procedures, providing reporting to prove to the auditors that everything is working.
“Information security by technical means is not sufficient and needs to be supported by policies and procedures,” wrote Chaiw Kok Kee in a SANS Institute whitepaper on security policies. “Security polices are the foundation and the bottom line of information security in an organization. Depending on the company’s size, financial resources and the degree of threat, we have to set up a security policy that finds the right balance between overreacting and exposing your system to any and every hack.”
5 Basic Tenants of Information Security
“Information security governance requires senior management commitment, a security-aware culture, promotion of good security practices and compliance with policy. It is easier to buy a solution than to change a culture, but even the most secure system will not achieve a significant degree of security if used by ill-informed, untrained, careless or indifferent personnel. Information security is a top-down process requiring a comprehensive security strategy that is explicitly linked to the organization’s business processes and strategy. Security must address entire organizational processes, both physical and technical, from end to end. The five basic outcomes of information security governance should include: 1. Strategic alignment of information security with business strategy to support organizational objectives 2. Risk management by executing appropriate measures to manage and mitigate risks and reduce potential impacts on information resources to an acceptable level 3. Resource management by utilizing information security knowledge and infrastructure efficiently and effectively 4. Performance measurement by measuring, monitoring and reporting information security governance metrics to ensure that organizational objectives are achieved 5. Value delivery by optimizing information security investments in support of organizational objectives” Information Security Governance: Guidance for Boards of Directors and Executive Management, IT Governance Institute, 2006
14
What I wish my CEO knew about security… If your CISO is doing a good job setting policies, the SANS policy guidance suggests
“If I could have a CEO
that he or she will be:
boot camp, I’d say, ‘Make sure you put
Identifying all of the assets that need to be protected
security top of mind
Identifying all of the vulnerabilities and threats and the likeliness
to all of your direct
of the threats happening
reports: your CFO, your CIO, your HR people,
Deciding which measures will protect the assets in a cost-effective manner Communicating findings and result to the appropriate parties (i.e. you and the board)
The responsibility for security oversight and policy development doesn’t rest solely on the CISO’s shoulders, either.
your sales people and so on,’” Pescatore says. “For most businesses today, the product is information and security is key. So you have to make sure that your top reports understand that security is part of their evaluation. It’s not just the CIO’s responsibility. It is part of life for every one of your
Monitoring and reviewing the process for improvement along the way The responsibility for security oversight and policy development doesn’t rest solely on the CISO’s shoulders, either. As chief executive, you should also be guiding a program of information security governance that reaches far beyond the IT
direct reports.”
“Information security is not simply an IT issue. Information security is the responsibility of every employee beginning with the CEO. Awareness, detection and remediation is also everyone’s responsibility. We can invest in tools that will mitigate the risk, and tools to audit how well we are mitigating the risks, but at the end of the day, it is the individual users who most significantly impacts the security of information at an organization. If we start with the idea that the management of the investment we have in information is of paramount importance, we will make decisions that ensures its security throughout all levels of the organization. In this way, the products, policies, procedures and audits you put in place will not be sidestepped, downgraded or ignored for the comfort of the end user.” Tony Hildesheim, Vice President of Information Technology Washington State Employees Credit Union
department.
As chief executive, you should also be guiding a program of information security governance that reaches far beyond the IT department.
15
Conclusion: The Security Role of the CEO Obviously, chief executives don’t play a detailed day-to-day role in information
The CEO has to be the one that constantly challenges the organization to understand
security. You probably don’t know how to administer a vulnerability scanner, nor
its risks and needs to be constantly reviewing security progress as part of the
should you. But understanding security can have such a dramatic effect on an
quarterly review process. Are we right on track with initiatives? Have we suffered any
organization’s bottom line, it is clear CEOs need to provide strong leadership
incidents lately? Have our competitors? What new threats are cropping up. These
on the matter.
are the types of questions that the CEO must ask of the CIO or CISO on a consistent
A Practical Approach to IT Security Risks
basis in order to keep that company messaging relevant. It should be an ongoing, According to many of the CISOs we speak with here at Lumension Security, the only
dynamic process instead of one where the CEO is simply the recipient of information.
way to get user buy-in for major infosec initiatives is by relying on support from the top of the food chain. As a CEO, you have a chance to set a culture of security that permeates into every silo, department and remote office you maintain. As our customer Bell puts it, “When it comes from the CEO, it’s a bigger deal than when it comes from the security officer. You’re going to get more penetration through your enterprise. The folks in accounting are going to go, ‘Oh! It’s the CEO!’ They
Pat Clawson discuss how organizations can implement a practical approach to identifying, prioritizing and responding to IT security risks
don’t care about me, but they’ll listen to the CEO. There are a lot of companies with silos that are so deep these days that the security departments don’t have a lot of visibility. If you can work to get some kind of company message, it’s helpful.”
16
Lumension Security™, Inc. 15880 N Greenway-Hayden Loop, Suite 100 Scottsdale, AZ 85260 www.lumension.com
7 Thnigs Every CEO Should Know About Information Security is licensed under a Creative Commons Attribution 3.0 United States License.