Senior Consultant, IBM Center for Applied Insights
Growing up, there was a very specific sandwich-making rule laid down by my dad. When making peanut butter and jelly sandwiches, you had to use the peanut butter before the jelly. Was this because of some principle which determined that the resulting sandwich held together better when the ingredients were applied in this order? No. It was because he hated the cross-contamination of jelly into the peanut butter jar which was inevitable when it was on the spreading knife first. He preferred jelly-free sandwiches, you see.
This memory of a long held rule, which still govern my actions today, came to me as I was reviewing the Center's current research into security related topics. We're talking with Chief Information Security Officers (CISOs) about their evolution and leading practices in the enterprise. We're discussing how they successfully bring security topics into the business world. Most importantly, we're examining how business priorities impact security choices.
In the realm of mobile and BYOD, you can hardly have a conversation without discussing security. It is a key inhibitor to mobile adoption and one reason companies are looking for managed security solutions rather than simply hoping for the best. Some security leaders argue for keeping personally owned devices out of the enterprise, simply due to the risk potential. Others, accepting that mobile is here to stay, fight to make its use as secure and safe as possible. It's only going to get worse and more and more connected devices enter the enterprise (see this recent Forbes article: "The Next Big Thing In Enterprise IT: Bring Your Own Wearable Tech?")
IBM's prior CISO, and current head of Security Services, Kris Lovejoy wrote about best practices for mobile implementations last year as part of our Security Essentials series:"Enabling mobility: their device, your data". For many, doing business means being mobile. As a security leader, it becomes your job to manage the risk - not just avoid it. Caleb Barlow extended these thoughts with an article this summer, "Yes, It’s Possible to Be Confident About Mobile Security", which focuses on four key ways to mitigate the risk of adding mobile to your secure enterprise:
Risk analysis - Organizations must understand what enterprise data is on employee devices, how it could be compromised and the potential impact of the comprise (i.e. What does it cost? What happens if the device is lost? Is the data incidental or crucial to business?).
Securing the application - In the pre-mobile, personal computer era, simply securing the device and the user were sufficient. When it comes to mobile devices, we also need to think about securing the application itself. As a typical application is downloaded from a store, the end user really has no idea who built the application, what it actually does with your data or how secure it is. Corporate applications with sensitive data need to be secure in their own right.
Secure mobile access authentication - Since mobile devices are shared, it’s important to authenticate both the user and the device before granting access and to look at the context of the user requesting access based on factors like time, network, location, device characteristics, role, etc. If the context appears to be out of line with normal behavior, appropriate counter measures can be taken.
Encryption: Simply put, if the data is sensitive it needs to be encrypted both while at rest as well as while in motion on the network.
What stops you from fully adding mobile to your security strategy? Hopefully it is more than just a distaste for jelly in your peanut butter. This October we'll have more to share on mobile adoption challenges when we release this year's follow up to our 2012 CISO Assessment.
I've had the priviledge of working with IBM's Security Systems and Services teams over the past two years looking at the evolution of security leadership and what security leaders, like the CISO, are going to need to look like in the future. We’ve also looked at leading practices in cybersecurity education and we’ve identified essential security practices for CIOs based on our experiences at IBM.
Have a strategic vision… ensure global consistency in policy… engage in lots of communication with business leaders… speak business value and understand risk… minimize the impact of security to the business… be on the bleeding edge of enterprise and consumer technology...
A set of challenges also emerged from the interviews we conducted. Although we targeted more mature security leaders, they are still struggling in three areas.
How do I best manage a broad set of concerns from a diverse set of business stakeholders? Security leaders that are engaged with the business have to deal with a number of security fears from the C-Suite. The CEO might be most worried about losing customer trust because of a breach, the CFO might worry about the financial impact of recovery, COOs might focus on the impact of operational downtime. Good security leaders are able to balance, manage and allay all of these concerns.
How do I improve mobile security policy and management – not just deploy the latest technology? It’s no surprise that mobile security is top of mind. It was identified as a top technology concern in last year’s Assessment and continues to be at the forefront. Most are enabling secure mobile deployments in their organizations, but fewer have achieved comprehensive policies or strategies for personally owned devices.
How do I translate security metrics into the language of the business to help guide strategy? Technical and business metrics need to be used for more than just budget discussions and technology prioritization, they need to be deeply integrated into the decision making process of the business. To get to that point, security metrics must be translated into things the business will understand, like financial impact.
To learn more and download the full report and other materials visit the IBM Center for Applied Insights and join us in an open discussion about the future for information security leadership.
Sometimes time and space conspire to create an opportunity that you weren’t expecting. That was the case for me last week. Near where I live, the University of Rhode Island (URI) hosted their third Cybersecurity Symposiumon education and workforce development. Speakers included the entire Rhode Island Congressional delegation, the director of the U.S. Defense Intelligence Agency, the CIO for the U.S. Department of Defense and a number of industry practitioners, including IBM’s VP for Cyber Security Innovation Marisa Viveros. Marisa was the co-author of the paper that we recently published on leading practices for cybersecurity education.
The symposium was open to the public and students, had over 400 attendees, and flew at a fairly high level. There were some excellent takeaways and parallels to IBM’s recent research with respect to cybersecurity skills and education. The Congressional delegation, which included Sen. Whitehouse, Sen. Reed, Rep. Langevin and Rep. Cicilline, each emphasized different areas of the cybersecurity challenge. This included improving public awareness, the national security implications of the rapidly changing cyber threat, the difficulties with law enforcement, and the need to protect our privacy, civil rights and liberties.
Lieutenant General Flynn of the U.S. Defense Intelligence Agency (and URI alum) was a very engaging speaker and talked about the “invisible war” that is currently being waged in cyberspace. He highlighted the profound transition U.S. security is currently going through – caused by population, economic and technology shifts – which require new ways of thinking. To fight this invisible war, he said that for every person currently working in cybersecurity today, we need a staggering twenty-eight more. He also repeatedly talked about the generational issues involved in cybersecurity and that real rules and discipline have yet to emerge on the international stage. He advocated something akin to the “law of the sea”, but for the cyber domain.
The business and industry panel included speakers from Google, IBM, Dell SecureWorks, CVS and Fidelity Investments and was much more open and conversational. They all brought their perspectives – whether providing information security or managing it for their organizations. There was a lot of discussion about how to break into the field of cybersecurity, what skills to have, what courses to take, and career paths. Stephan Somogyi, from Google, talked about the need to educate everyone on digital hygiene and focusing education on the basics of computer science. He said that you have to have a passion for security, it is a calling. If you have that, you can come from any field. Jeff Shilling, from Dell, talked about the incredible need for security technicians, those with hands-on skills. He has enough security managers, what he needs are those that can do the work (he agreed with Lt. Gen. Flynn’s assessment).
A lot of the themes from the day echoed what we recommended through our research. Local and national collaboration was evident with the diversity of speakers and the support from the entire university, the Congressional delegation, the military and industry. The importance of awareness was highlighted over and over. URI is working on innovative ways to provide hands-on experience for students through a low-cost Open Cyber Challenge Platform they are developing. The need for improving non-technical cybersecurity academic programs for business and policy leaders was highlighted in a new study from the Pell Center for International Relations and Public Policy.
This was a very valuable event, and I hope that it continues on an annual basis. Even though it was to raise local awareness and promote URI and its computer science program, it could stand to have increased global participation in the next iteration – which was one of our key findings.
For a summary of our recent research check out and share the Prezi presentation below:
In a world of increasing and varying information security threats, academic initiatives focused on cybersecurity are proliferating - yet, there is still the danger of falling short in addressing the long-term threat. To avoid becoming too focused on near-term issues, programs must be more collaborative across their own institutions, with industry, government, and among the global academic community. Only by working in concert can we meet today’s demand while educating the next generation to create a more secure future.
There have been a lot of recent reports, blog posts and news articles discussing the cybersecurity skills gap. It has been an ongoing issue for a while, and will continue into the future. We wanted to tackle this problem, not from the demand side, but from the supply side. So, the IBM Center for Applied Insights and IBM’s Cyber Security Innovation team selected 15 academic programs in 6 different countries from the over 200 institutions we monitor and work with. We conducted interviews with faculty members, department chairs and others. This week, we released a synthesis of those interviews in our latest security insights paper,“Cybersecurity education for the next generation: Advancing a collaborative approach” .
Through our interviews it was confirmed that cybersecurity is top of mind for students, educators, industry and government. Industry and government are currently facing a significant skills gap and this is causing the programs we interviewed see extremely high demand for their students, both undergraduate and graduate.
But, not all is rosy with the increased demand and attention. Programs are expected to provide more of everything – courses, graduates, opportunities, research – which has caused programs to face a number of organizational and technology challenges. Stained programs are addressing these challenges in different ways, taking different approaches to cybersecurity education, but still sharing similar common principles.
The trends, challenges, issues and differing perspectives cannot be fully addressed by each academic program on its own; cybersecurity is a global problem and should have global solutions. A set of leading practices promoting a longer-term and more collaborative approach is needed. We identified three general areas that the leading programs we talked to excelled at, all dealing with collaboration and connection.
1. Collaborate within your own institution – Cybersecurity programs should embed security practices and principles in computer science and engineering courses and take a holistic technical approach. They should work with other disciplines and schools in the university (e.g., business, law, ethics, medicine, policy). They should offer diverse education options for students and professionals (graduate, undergraduate, professional development, etc.).
2. Co-evolve with industry and government – Academic programs should have deep ties with industry and government – partnering and collaborating on research, curriculum development, and opportunities for students. A hands-on, practical, approach is also extremely important. Laboratory work, projects, special-interest groups, and internships should all be cultivated.
3. Connect across the global academic community – A number of the programs we talked with discussed the need for building a “science of security” to anticipate security problems and a cross-discipline lingua franca among scientists, engineers and policy makers. Fundamental concepts and common vocabulary can only be developed with participation of the entire global cybersecurity community.
There are four pivotal information technologies that are rapidly reshaping how enterprises operate: mobile technology, business analytics, cloud computing, and social business. All four of these technologies are potentially disruptive, and they also come with unique security concerns. Many people fear the security implications of employees bringing their own mobile devices to work, or storing mission critical databases in public cloud environments. Fear shouldn’t drive organizations away from these potentially transformative technologies. How are organizations overcoming their fears? How are they breaking though the “security wall”?
Recently IBM released the results of its 2012 Tech Trends Report, which looks at the adoption patterns of these four technologies. It is based on a survey of over 1,200 professionals who make technology decisions – the respondents came from 16 industries and 13 countries. As part of the analysis, three different types of organizations were identified:
Pacesetters (20%) believe emerging technologies are critical to their business success and are using them to enable new operating/business models. They’re also adopting ahead of their competition.
Followers (55%) agree that these technologies are important and can provide critical capabilities and differentiation, but they generally trail Pacesetters in adoption.
Dabblers (25%) are generally behind or, at best, on par with competitors in terms of adoption. They’re less strategic in their use of emerging technologies, namely citing greater efficiency or new capabilities in selected areas.
One common thread across all three of the identified groups is that security is a significant area of importance and concern. In fact, 62% of respondents cite security as one of the three most important areas facing their organization over the next two years, with 27% rating it number one. One interesting aspect is that, the less mature an organization is with respect to the four strategic technology areas, the more security rates as an area of importance and focus. Seventy-seven percent of the Dabblers cited security as a top-three area of importance, versus only 49% of the more mature Pacesetters. Why is that? Perhaps the Dabblers don’t fully understand, or trust, that there are security technologies, policies and practices that can ensure a more secure approach overall. Or perhaps they lack the experience the Pacesetters have.
“Security and privacy are not always treated as first-order problems. Things are deployed and made widely available without regard for security and privacy. In a best-case scenario, security and privacy are thought of as add-ons. Worst case, they’re ignored completely.”
– Dr. Eugene Spafford, Professor and Executive Director of the Center for Education and Research in Information Assurance and Security, Purdue University
Besides being an area of significant importance, security is also seen as a significant barrier to technology adoption by the survey respondents. Information security is ranked as one of the top two barriers to adoption across the four technology areas – more than integration, inadequate skills or regulation and compliance. Overall, security is the biggest barrier for a majority of respondents for mobile (61%) and cloud (56%) adoption. Security is cited less often as the top adoption barrier in social (47%) and analytics (31%). As shown by the dark blue bars in the graph below, there isn’t a huge gap between the groups (9-11%) when it comes to security concerns, but, in general, less mature Dabblers see security as more of a barrier than the more mature Pacesetters. The exception is analytics, which has the lowest adoption barrier. Perhaps Pacesetters better understand the potential risks in implementing advanced analytic systems.
Another part of the security wall blocking the full realization of the benefits of the four technologies is that organizations’ current IT security policies aren’t sufficient. The figure above generally shows correlations between viewing security as a barrier to adoption (dark blue bars) and inadequate security policies (light blue bars). The Pacesetters are more confident across the board, with a majority saying that their security policies are adequate. The “adequate policies gap” between the Pacesetters and Dabblers ranges from 13% to 32%, a fairly wide margin. This tells us that organizations that have the right security policies in place are more confident, and less likely to see security as a barrier. For the others, there is a gap between their fears and taking the steps needed to address those fears.
Another tool organizations are using to attack the security wall is skills development. A majority of the respondents know that security is an issue and are working hard to boost their confidence. Overall, 70% of organizations are planning to develop or acquire skills in “mobile security and privacy” and “cloud security” – the two technology areas where security is seen as the biggest barrier.
Security is tightly intertwined with the four technology areas discussed. You shouldn’t pursue cloud, mobile, social or analytics endeavors without also focusing on needed security technologies, skills, policies and practices. The more you focus on policies and skills, the less likely you will see security as an impediment. Treat security as a business imperative and make it a priority. Design security in from the start of any project. Doing this will increase confidence and help to tear down the walls that are slowing the adoption of important, transformative technologies.
David Jarvis Client Insights, Senior Consultant Center for Applied Insights
It is well known that social media holds a great deal of promise for the enterprise, but many executives and others are still struggling to get over the potential security and privacy risks. So, what is the best way to make the transition to becoming a secure social enterprise?
There are a lot of potential benefits to extensively using social media within and outside of your organization. It can increase connections with clients and customers, creating deeper relationships. Internally, it can improve collaboration, productivity, flexibility and accelerate innovation propagation within the enterprise. Social media even has the potential to break down hierarchies, creating more a more collegial working environment.
However, all of this newfound openness and transparency can create significant struggles and security concerns. What happens if my personal and professional social media accounts get entangled? How can I encourage an open dialogue with my customers without leaking product and strategy details? How can I balance my conversations with clients – open enough to be valuable, without seeming like I am controlling it too much? What are the best ways to approach approvals and checks before posting, without sacrificing immediacy?
These worries are not unfounded. Earlier this month, LinkedIn reportedthat hackers breached their servers and leaked 6.5 million user passwords. Not all of them were decoded, but a number were published. In the latest IBM X-Force annual report it was noted that in 2011 there was a significant increase in phishing mails impersonating social media sites and attackers are using personal and professional information from social media to improve their pre-attack intelligence gathering.
We have recently published a couple of resources on using social media responsibly and securely. IBM recently launched our “Go Social. Stay Safe. Be Smart”program externally.
We also just published a new article, as part of our Security Essentials for CIOs series, on navigating the risks and rewards of social media. In the article, we outline four steps for a better enterprise approach to social media, plus some tips for employees using social media.
Define your social agenda – What do you want from social media? Who should be involved? What types of benefits do you expect?
Analyze the risks – Use a structured way to look at potential internal and external risks. Come up with standard procedures for when things go wrong.
Create and communicate your policy – Design an education program to communicate the opportunities and risks of social media, and what is expected from employees.
Monitor security and measure progress – How effective is the use social media for the enterprise? Is it driving more business? Is it really improving collaboration?
It’s easy to say that information security leaders have it tough. The security landscape is full of conflict, confusion and uncertainty, coming from a number of different directions. Leaders have a lot to handle. If it’s not a rapidly shifting threat, it’s new technology platforms to secure including mobile, cloud and social. Almost every article I see these days is focused on the growing challenges, with titles like the “Eye of the storm”, “Into the cloud, out of the fog” and “Converging waves of pain.”
Today, the IBM Center for Applied Insights releases the results of the 2012 IBM Chief Information Security Officer Assessment. This was our first foray into examining the role of information security leaders, and how they are evolving to meet the challenging landscape. While we understand and appreciate the fact that things are difficult on the technical front, we wanted to focus on the organizational and leadership aspects of information security.
We felt that information security leadership was in the process of undergoing a transformation and wanted to test whether the role was changing based on increasing security challenges and greater attention from business leaders.
We wanted to identify best practices that could be shared across the industry – and understand if organizations were moving toward a more holistic, risk-based approach to information security.
We also wanted to know what roles collaboration, innovation and integration are playing in security organizations.
What we discovered was that only 1 in 4 security leaders have made the shift to being recognized as having strategic impact on their enterprise. Based on a self-assessment of their organizational maturity and their ability to handle a security incident, three different types of leaders emerged.
Influencers (25%) – This group sees their security organizations as progressive, ranking themselves highly in both maturity and preparedness. These security leaders have business influence and authority – a strategic voice in the enterprise.
Protectors (47%) – These security leaders recognize the importance of information security as a strategic priority. However, they lack important measurement insight and the necessary budget authority to fully transform their enterprises’ security approach.
Responders (28%) – This group remains largely in response mode, working to protect the enterprise and comply with regulations and standards but struggling to make strategic headway. They may not yet have the resources or business influence to drive significant change.
We also discovered some significant differences between the groups that show how Influencers have developed their strategic voice. Compared to Responders, Influencers are:
2x more likely to have a dedicated CISO
2.5x more likely to have a security or risk committee
3x more likely to have information security as a board topic
2x more likely to use a standard set of security metrics to track their progress
4x more likely to be focused on improving enterprise-wide communication and collaboration over the next two years
2x more likely to be focused on providing education and security awareness over the next two years
This is just the beginning of our conversation around the role of information security leadership and its place within the enterprise. The full report goes into more detail on the security landscape, the different types of leaders and their characteristics, and a way forward for everyone.
In 2012 we saw significant data breaches across multiple industries and governments impacting millions of users. Will 2013 bring more of the same? Is this an uncertain future we will have to live with? Can we accept degraded privacy and security and billions of dollars in lost revenue, damage, reduction in brand value and remediation costs?
Last year, a number of major security themes were part of this uncertainty – cloud, mobile, social media, big data, compliance, advanced persistent threats, physical infrastructure security, and the changing nature of information security leadership. None of these issues are going anywhere. In fact, into 2013 and beyond these issues are only going to become more important and will become the concern of more and more enterprise leaders.
All of these disparate issues come together in a new infographic from IBM. It knits together the pressures CEOs are feeling to deliver transformation with limited resources, the changing role of information security leaders, the threat landscape and the best practices to address that landscape. It connects enterprise priorities with information security practices, achieving innovation while dealing with risk.
In 2012, the IBM Center for Applied Insights released a series of security-related pieces that focused on a number of these important issues. We looked at the changing role of the CISO and other security leaders in our 2012 CISO Assessment. We also published a series of best practices for security leaders through our eight article Security Essentials series. In 2013 we will continue to provide insights on information security.
What does IBM think the future of security will look like? IBM security experts and leaders have developed lists of ideas for 2013 and beyond. Highlights include:
Enterprise security organizations will become more independent and work with the audit committee and risk officers more.
Data scientists will increasingly analyze and correlate security data as well as unstructured business data to reduce the risk of breaches.
Threat data will be shared more readily between the government and private sector, and amongst private sector companies.
Organizations will begin monitoring the information shared on social media back channels to detect threats earlier.
Compliance will remain a strong security driver and will be weighed against the rise of a risk-based approach to security.
Because of data, identity and monitoring technologies, cloud security will go from "mystery and hype" to "secure and move-on".
Mobile devices (the device, network and applications) will be significantly more secure – more than laptops are today.
The type of data collected and inspected to detect advanced threats will increase in variety and volume.
Keeping these ideas, trends and emerging issues in mind, information security leaders must rise to the challenge of creating a future that isn’t like today. By using their best practices to connect with and support enterprise-level goals they can create a better, more secure, future.
To download a copy of the infographic below, click HERE.
Like other industries, retail has its own set of unique security challenges. Loss prevention is a significant component of that challenge. The latest National Retail Security Surveystated that in 2011, U.S. retailers lost $34.5 billion to retail theft – combining employee theft, shoplifting, paperwork errors and supplier fraud. That accounted for approximately 1.4 percent of total retail sales last year.
Today, the checkout/point of sale is the nexus for retail security. Here, the four most important flows for a retailer converge – cash, inventory, electronic payments and customer data. All sorts of different security incidents and fraud can happen at this point – self-checkout fraud, shoplifting, counterfeit coupons, employee theft and compliance in theft, and the theft of customer data through compromised equipment.
As the boundaries of retailers extend beyond the traditional brick and mortar of their stores, additional security concerns come into play. There is fraud around online ordering and home shipment, portal security issues for retailer websites, supply chain security associated with contamination, theft and low quality, and even stealing intellectual property (if retailers have their own private labels).
On top of all of this, retailers are also transforming their business with emerging technologies that all have their own unique security challenges. These include new payment technologies like mobile point-of-sale and in-aisle purchasing, e-receipts, RFID and near-field communications, video and social analytics, mobility and multi-channel access and social networking.
All of these are increasing the number of contact points between the customer and the retailer – pushing out the security boundary further and further. Retailers are struggling to create a better, deeper customer experience and, at the same time, mitigate the potential risks to the organization.
The threat landscape and new technologies are creating a need for an integrated security environment. Are retailers up to the task? Are they approaching physical and information security in new, united ways? Is loss prevention being included in more and more technology conversations? Are retailers moving away from being purely reactive?
We gained a bit of insight into this as part of theIBM 2012 CISO Assessment. There were eleven retail respondents from four different countries (France, Germany, Japan and the U.S.). Their answers compared to the overall statistics from the survey shed some light on the issues:
Retailers realize that information security needs more attention – 8 of 11 see increased leadership attention from two years ago, and 9 of 11 expect increased budgets over the next two years.
They are making progress – all of the retail respondents indicated a slight (7 of 11) or a dramatic (4 of 11) improvement in their information security position from two years ago.
However, they currently don’t have the information security organizational structure to address the changing landscape – only 2 of 11 have a CISO, 2 of 11 have a budget line item, 4 of the 11 have a security or risk committee and 5 of 11 use a standard set of metrics.
Internal threats and mobility are top concerns – 6 of 11 respondents indicated mobility as their top technology concern. Internal threats were ranked the highest overall security threat with 5 of 11 ranking it #1.
Retailers will be focused on employee education and using managed services to improve their security situation over the next two years.
Another statistic that highlights the fact that retailers know the importance of information security but are struggling to address the changing technology environment comes from IBM’s Global Workforce Study. Overall, 49% of respondents stated that they have “completely addressed” their mobile security concern. For retail it was only 22%. However, 73% of retail respondents expect to make significant investments in their mobile environment in the next 1-2 years, signaling they know it is an issue.
Retailers are not only responsible for protecting their own information, but they are under considerable regulatory pressure to make sure they protect customer information as well. They are faced with a diverse array of threats and technologies that are creating new potential vulnerabilities. They need to have the right security organization and capabilities that unites information and physical security, risk, loss prevention and others into a holistic approach. Retailers realize this, but they still have a way to go before they’ll be confident in their capabilities.
Feel free to contribute to the conversation. Are these the right security challenges for retailers? Will it take more than just technology to address them? How do you think they are addressing this important issue today? Do retailers have a harder go at it than other industries because of the nature of their business? Let us know what you think.
Some things are bad to do by committee, creating a work of art, cooking dinner, closing a baseball game – and sometimes committees are a necessity. Security and risk committees are an essential part of any enterprise’s security and risk management infrastructure. They are a sign of a mature organization. By promoting collaboration across the enterprise and making security and the associated risk discussions an integral part of senior leadership’s responsibilities, the enterprise can be better protected. Yet, even though the benefits are clear, not enough enterprises have one.
A study released last week by the Carnegie Mellon CyLab, looking at privacy and security governance in the Forbes Global 2000, reported that boards and senior leadership still are not exercising appropriate governance over the privacy and security of their digital assets. The study stated that there is still a significant gap in understanding around the fact that security, privacy and IT risk are all a part of enterprise risk management.
The study did note one encouraging sign – that more and more enterprises have cross-functional privacy/security committees – 70% of 2012 respondents versus 17% in 2008. These committees can act as a bridge to boards and senior leadership and elevate the discussion around security and risk, potentially closing the governance gap.
These findings line up very nicely with what we recently uncovered as part of our 2012 CISO Assessment. Overall, only 49% of the total sample reported that they had a security or risk committee. When we delved deeper, 68% of the most mature group of organizations, Influencers, had a security/risk committee. In comparison, only 26% of the least confident and mature group, Responders, had one.
What was interesting was, regardless of the organization’s overall security maturity level, if they had a security or risk committee they shared similar characteristics. In general, leaders of the committees tended to be Senior IT Executives (28%), CISOs (24%) or Senior Business Executives (22%). These committees met on a fairly regular basis, with 48% meeting quarterly and 27% meeting monthly.
The security and risk committees also took a comprehensive, enterprise-wide approach with both business and IT representation. From the business side, the most represented functions included Compliance (80%), Legal (65%), Business Executives (64%), Business Operations (64%), and Finance (59%). From the IT side, IT Executives (91%), IT Operations (72%), Network Operations (60%), and Data Governance (51%) were all a part of a majority of the committees.
Finally, as part of the CISO Assessment we looked at the primary objectives of the security/risk committees. Looking at the chart below we can see that, based on their top two choices, most committees were primarily focused on developing enterprise security strategy and developing action plans and recommendations. So should committees only be focused on strategic policy and governance issues? Is there more they could be doing?
At IBM, our risk management team meets quarterly with a top advisory committee, including senior vice presidents of all the business units, who report directly to the CEO. These include the leaders of many functional areas including finance, marketing, technology and others. Each of these executives must understand the security risks to his or her unit and what controls are in place. Together, they shape and decide strategy. Security, after all, is intimately tied not only to their units, but to the future of the enterprise.
Based on all this information, I think that enterprises are using security and risk committees more and more and they are adopting best practices around the leaders, members, operations, and goals of those committees. To make the next step:
Make sure your committee has both technical and business leadership representation and make sure it is connected to the highest levels of the enterprise and the board. The committee can be the gateway between the enterprise and the board with respect to information risk management.
Ensure your committee is broad and diverse. Compliance, legal, finance and IT operations representation is expected. Reach further, make sure business unit leaders are involved so new products and services are created in a secure fashion. Include human resources to help with employee education initiatives.
Set up a way to measure the progress of the committee. Using targeted metrics can help focus not only the committee, but the entire security organization for the enterprise. It will provide something to work towards and make it easier to communicate with the board.
According to the 2012 Cloud Computing Survey released this month by IDG, the number one barrier to implementing cloud strategies is security. A full 70% of respondents reported being significantly worried about it. More than service interruptions and other factors – unauthorized users getting access to data strikes fear into the heart of potential cloud adopters.
However, because of their flexibility, potential cost savings and ease of use, the allure of cloud computing is undeniable. So, what to do? How can we have cloud computing platforms that inspire confidence instead of instill fear?
It all starts with education. Everyone developing a cloud-delivered service becomes, de facto, an IT architect. Users must understand the risks and responsibilities in operating on a cloud, and follow a set of best practices that they respect and incorporate into their daily routines.
Second, we have to think in a different context – it needs to be more about securing information, rather than the security of physical devices and locations. If the information is secure by its nature, it doesn’t matter where it is, or what device it is on. The data has to be encrypted and available only to those who need access to it. Putting the onus on the data owner instead of the cloud provider is a good idea. Ponemon and CA released the results of a survey in May 2011 which showed that cloud providers didn’t make security their number one concern. The majority of cloud providers believed it was their customer’s responsibility to secure the cloud, not theirs.
Finally, this leads us to the importance of knowing and trusting the cloud vendor and the country the hosting data center operates in. Depending on the location of the data center, there are possible data rights issues and disruptions caused by political unrest, infrastructure issues or natural disaster. In the end, you’re investing not only in the cloud provider, but in a country as well.
The IBM Center for Applied Insights has been working with IBM’s VP of IT Risk to develop a series of eight articles on Security Essentials for CIOs, based on IBM's own experiences. The latest, the third in the series, is about what it takes for an enterprise to develop a secure cloud computing strategy.