Impact of Security Issues on Doing Business in 2011 And Beyond
Impact of Security Issues on Doing Business in 2011 AndBeyondTranscript of a sponsored podcast panel discussion from The Open Group 2011 U.S. Conferenceon how enterprises need to change their thinking to face cyber threats.Listen to the podcast. Find it oniTunes/iPod and Podcast.com. Download the transcript. Sponsor:The Open GroupDana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and youre listening to BrieﬁngsDirect. Today, we present a sponsored podcast discussion in conjunction with The Open Group Conference, held in San Diego in the week of February 7, 2011. We’ve assembled a panel to examine the business risk around cyber security threats. Looking back over the past few years, it seems like threats are only gettingworse. Weve had the Stuxnet Worm, The WikiLeaks affair, China originating attacks againstGoogle and others, and the recent Egypt Internet blackout. [Disclosure: The Open Group is asponsor of BrieﬁngsDirect podcasts.]But, are cyber security dangers, in fact, getting much worse or rather perceptions that are at oddswith what is really important in terms of security? In any event, how can businesses best protectthemselves from the next round of risks, especially as cloud, mobile, and social media activitiesincrease? How can architecting for security become effective and pervasive? Well pose theseand other serious questions to our panel to deeply examine the cyber business risks and ways tohead them off.Please join me now in welcoming our panel, were here with Jim Hietala, the Vice President ofSecurity at The Open Group. Welcome back, Jim.Jim Hietala: Hi, Dana. Good to be with you.Gardner: And, were here with Mary Ann Mezzapelle, Chief Technologist in the CTOs Ofﬁce atHP. Welcome.Mary Ann Mezzapelle: Thank you, Dana.Gardner: Were also here with Jim Stikeleather, Chief Innovation Ofﬁcer at Dell Services.Welcome, Jim.Jim Stikeleather: Thank you, Dana. Glad to be here.
Gardner: As I mentioned, there have been a lot of things in the news about security. Imwondering, what are the real risks that are worth being worried about? What should you bestaying up late at night thinking about, Jim?Stikeleather: Pretty much everything, at this time. One of the things that youre seeing is a combination of factors. When people are talking about the break-ins, youre seeing more people actually having discussions of whats happened and whats not happening. Youre seeing a new variety of the types of break-ins, the type of exposures that people are experiencing. Youre also seeing more organization and sophistication on the part of the people who are actually breaking in. The other piece of the puzzle has been that legal and regulatory bodies step inand say, "You are now responsible for it." Therefore, people are paying a lot more attention to it.So, its a combination of all these factors that are keeping people up right now.Gardner: Is it correct, Mary Ann, to say that its not just a risk for certain applications or certainaspects of technology, but its really a business-level risk?Key componentMezzapelle: Thats one of the key components that we like to emphasize. Its about empowering the business, and each business is going to be different. If youre talking about a Department of Defense (DoD) military implementation, thats going to be different than a manufacturing concern. So its important that you balance the risk, the cost, and the usability to make sure it empowers the business.Gardner: How about complexity, Jim Hietala? Is that sort of an underlying current here? Wenow think about the myriad mobile devices, moving applications to a new tier, native apps fordifferent platforms, more social interactions that are encouraging collaboration. This is good, butjust creates more things for IT and security people to be aware of. So how about complexity? Isthat really part of our main issue?Hietala: Its a big part of the challenge, with changes like you have mentioned on the client side,with mobile devices gaining more power, more ability to access information and storeinformation, and cloud. On the other side, we’ve got a lot more complexity in the ITenvironment, and much bigger challenges for the folks who are tasked for securing things.Gardner: Just to get a sense of how bad things are, Jim Stikeleather, on a scale of 1 to 10 -- with1 being youre safe and sound and you can sleep well, and 10 being all the walls of your businessare crumbling and youre losing everything -- where are we?Stikeleather: Basically, it depends on who you are and where you are in the process. A majorissue in cyber security right now is that weve never been able to construct an intelligent returnon investment (ROI) for cyber security.
There are two parts to that. One, weve never been truly able to gauge how big the risk really is.So, for one person it maybe a 2, and most people its probably a 5 or a 6. Some people may besitting there at a 10. But, you need to be able to gauge the magnitude of the risk. And, we neverhave done a good job of saying what exactly the exposure is or if the actual event took place. Itsthe calculation of those two that tell you how much you should be able to invest in order toprotect yourself.So, Im not really sure its a sense of exposure the people have, as people dont have a sense ofrisk management -- where am I in this continuum and how much should I invest actually toprotect myself from that?Were starting to see a little bit of a sea change, because starting with HIPAA-HITECH in 2009,for the ﬁrst time, regulatory bodies and legislatures have put criminal penalties on companieswho have exposures and break-ins associated with them.So were no longer talking about ROI. Were starting to talk about risk of incarceration , and thatchanges the game a little bit. Youre beginning to see more and more companies do more in thesecurity space -- for example, having a Sarbanes-Oxley event notiﬁcation to take place.The answer to the question is that it really depends, and you almost cant tell, as you look at eachindividual situation.Gardner: Mary Ann, it seems like assessment then becomes super-important. In order to assessyour situation, you can start to then plan for how to ameliorate it and/or create a strategy toimprove, and particularly be ready for the unknown unknowns that are perhaps coming down thepike. When it comes to assessment, what would you recommend for your clients?Comprehensive viewMezzapelle: First of all we need to make sure that they have a comprehensive view. In some cases, it might be a portfolio approach, which is unique to most people in a security area. Some of my enterprise customers have more than a 150 different security products that theyre trying to integrate. Their issue is around complexity, integration, and just knowing their environment -- what levels they are at, what they are protecting and not, and how does that tie to the business? Are you protecting the most important asset? Is it your intellectual property (IP)? Is it your secret sauce recipe? Is it your ﬁnancial data? Is it your transactions being available 24/7?And, to Jims point, that makes a difference depending on what organization youre in. It takessome discipline to go back to that InfoSec framework and make sure that you have thatfoundation in place, to make sure youre putting your investments in the right way.
Stikeleather: One other piece of it is require an increased amount of business knowledge on thepart of the IT group and the security group to be able to make the assessment of where is my IP,which is my most valuable data, and what do I put the emphasis on.One of the things that people get confused about is, depending upon which analyst report youread, most data is lost by insiders, most data is lost from external hacking, or most data is lostthrough email. It really depends. Most IP is lost through email and social media activities. Mostdata, based upon a recent Verizon study, is being lost by external break-ins.Weve kind of always have the one-size-ﬁts-all mindset about security. When you move from just"Im doing security" to "Im doing risk mitigation and risk management," then you have to startdoing portfolio and investment analysis in making those kinds of trade-offs.Thats one of the reasons we have so much complexity in the environment, because every timesomething happens, we go out, we buy any tool to protect against that one thing, as opposed totrying to say, "Here are my staggered differences and heres how Im going to protect what isimportant to me and accept the fact nothing is perfect and some things Im going to lose."Gardner: Perhaps a part of having an assessment of where you are is to look at how things havechanged, Jim Hietala, thinking about where we were three or four years ago, what isfundamentally different about how people are approaching security and/or the threats that theyare facing from just a few years ago?Hietala: One of the big things thats changed that Ive observed is if you go back a number of years, the sorts of cyber threats that were out there were curious teenagers and things like that. Today, youve got proﬁt-motivated individuals who have perpetrated distributed denial of service attacks to extort money. Now, they’ve gotten more sophisticated and are dropping Trojan horses on CFOs machines and they can to try in exﬁltrate passwords and log-ins to the bank accounts. We had a case that popped up in our newspaper in Colorado, where a mortgage company, a title company lost a million dollars worth of mortgage money that was loans in the process of funding. All of a sudden, ﬁve homeowners are faced with paying two mortgages, because there was no insurance against that.When you read through the details of what happened it was, it was clearly a Trojan horse thathad been put on this companys system. Somebody was able to walk off with a million dollarsworth of these peoples money.State-sponsored actsSo youve got proﬁt-motivated individuals on the one side, and youve also got some thingshappening from another part of the world that look like theyre state-sponsored, grabbingcorporate IP and defense industry and government sites. So, the motivation of the attackers hasfundamentally changed and the threat really seems pretty pervasive at this point.
Gardner: Pervasive threat. Is that how you see it, Jim Stikeleather?Stikeleather: I agree. The threat is pervasive. The only secure computer in the world right nowis the one thats turned off in a closet, and thats the nature. You have to make decisions aboutwhat youre putting on and where youre putting it on. Is a big concern that if we dont get betterwith security, we run the risk of people losing trust in the Internet and trust in the web.When that happens, were going to see some really signiﬁcant global economic concerns. If youthink about our economy, its structured around the way the Internet operates today. If peoplelose trust in the transactions that are ﬂying across it, then were all going to be in pretty badworld of hurt.Gardner: All right, well I am duly scared. Lets think about what we can start doing about this.How should organizations rethink security? And is that perhaps the way to do this, Mary Ann? Ifyou say, "Things have changed. I have to change, not only in how we do things tactically, butreally at that high level strategic level," how do you rethink security properly now?Mezzapelle: It comes back to one of the bottom lines about empowering the business. Jim talkedabout having that balance. It means that not only do the IT people need to know more about thebusiness, but the business needs to start taking ownership for the security of their own assets,because they are the ones that are going to have to belay the loss, whether its data, ﬁnancial, orwhatever.They need to really understand what that means, but we as IT professionals need to be able toexplain what that means, because its not common sense. We need to connect the dots and weneed to have metrics. We need to look at it from an overall threat point of view, and it will bedifferent based on what company youre about.You need to have your own threat model, who you think the major actors would be and how youprioritize your money, because its an unending bucket that you can pour money into. You needto prioritize.Gardner: How would this align with your other technology and business innovation activities?If youre perhaps transforming your business, if youre taking more of a focus at the processlevel, if youre engaged with enterprise architecture and business architecture, is security asideline, is it central, does it come ﬁrst? How do you organize whats already fairly complex insecurity with these other larger initiatives?Mezzapelle: The way that weve done that is this is weve had a multi-pronged approach. Wecommunicate and educate the software developers, so that they start taking ownership forsecurity in their software products, and that we make sure that that gets integrated into every partof portfolio.
The other part is to have that reference architecture, so that there’s common services that areavailable to the other services as they are being delivered and that we can not control it but atleast manage from a central place.You were asking about how to pay for it. Its like Transformation 101. Most organizations spendabout 80 percent of their spend on operations. And so they really need to look at their operationalspend and reduce that cost to be able to fund the innovation part.Getting benchmarksIt may not be in security. You may not be spending enough in security. There are severalorganizations that will give you some kind of benchmark about what other organizations in yourparticular industry are spending, whether its 2 percent on the low end for manufacturing up to10-12 percent for ﬁnancial institutions.That can give you a guideline as to where you should start trying to move to. Sometimes, if youcan use automation within your other IT service environment, for example, that might free up thecost to fuel that innovation.Stikeleather: Mary Ann makes a really good point. The starting point is really architecture.Were actually at a tipping point in the security space, and it comes from whats taking place inthe legal and regulatory environments with more-and-more laws being applied to privacy, IP,jurisdictional data location, and a whole series of things that the regulators and the lawyers areputting on us.One of the things I ask people, when we talk to them, is what is the one application everybody inthe world, every company in the world has outsourced. They think about it for a minute, and theyall go payroll. Nobody does their own payroll any more. Even the largest companies dont dotheir own payroll. Its not because its difﬁcult to run payroll. Its because you can’t afford all ofthe lawyers and accountants necessary to keep up with all of the jurisdictional rules andregulations for every place that you operate in.Data itself is beginning to fall under those types of constraints. In a lot of cases, its medical data.For example, Massachusetts just passed a major privacy law. PCI is being extended to anybodywho takes credit cards.The security issue is now also a data governance and compliance issue as well. So, because allthese adjacencies are coming together, its a good opportunity to sit down and architect with arisk management framework. How am I going to deal with all of this information?Plus you have additional funding capabilities now, because of compliance violations you canactually identify what the ROI is for of avoiding that. The real key to me is people stepping backand saying, "What is my business architecture? What is my risk proﬁle associated with it? Whatsthe value associated with that information? Now, engineer my systems to follow that."
Mezzapelle: You need to be careful that you dont equate compliance with security? There are alot of organizations that are good at compliance checking, but that doesnt mean that they arereally protecting against their most vulnerable areas, or what might be the largest threat. Thatsjust a letter of caution -- you need to make sure that you are protecting the right assets.Gardner: Its a cliché, but people, process, and technology are also very important here. It seemsto me that governance would be an overriding feature of bringing those into some alignment.Jim Hietala, how should organizations approach these issues with a governance mindset? That isto say, following procedures, forcing those procedures, looking and reviewing them, and thenputting into place the means by which security becomes in fact part-and-parcel with doingbusiness?Risk managementHietala: I guess Id go back to the risk management issue. Thats something that I thinkorganizations frequently miss. There tends to be a lot of tactical security spending based upon thelatest widget, the latest perceived threat -- buy something, implement it, and solve the problem.Taking a step back from that and really understanding what the risks are to your business, whatthe impacts of bad things happening are really, is doing a proper risk analysis. Risk assessment iswhat ought to drive decision-making around security. Thats a fundamental thing that gets lost alot in organizations that are trying to grapple the security problems.Gardner: Jim Stikeleather, any thoughts about governance as an important aspect to this?Stikeleather: Governance is a critical aspect. The other piece of it is education. Theres aninteresting ﬁction in both law and ﬁnance. The ﬁction of the reasonable, rational, prudent man. Ifyouve done everything a reasonable, rational and prudent person has done, then you are notculpable for whatever the event was.I dont think weve done a good job of educating our users, the business, and even some of thetechnologists on what the threats are, and what are reasonable, rational, and prudent things to do.One of my favorite things are the companies that make you change your password every monthand you cant repeat a password for 16 or 24 times. The end result is that you get as this littlething stuck on the notebook telling them exactly what the password is.So, its governance, but its also education on top of governance. We teach our kids not to crossthe street in the middle of the road and dont talk to strangers. Well, we havent quite created thatsame thing for cyberspace. Governance plus education may even be more important than thetechnological solutions.Gardner: One sort of push-back on that is that the rate of change is so rapid and the nature ofthe risks can be so dynamic, how does one educate? How you keep up with that?
Stikeleather: I dont think that its necessary. The technical details of the risks are changingrapidly, but the nature of the risk themselves, the higher level of the taxonomy, is not changingall that much.If you just introduce safe practices so to speak, then youre protected up until someone comes upwith a totally new way of doing things, and there really hasnt been a lot of that. Everything hasbeen about knowing that you dont put certain data on the system, or if you do, this data is alwaysencrypted. At the deep technical details, yes, things change rapidly. At the level with which aperson would exercise caution, I dont think any of that has changed in the last ten years.Gardner: Weve now entered into the realm of behaviors and it strikes me also that its quiteimportant and across the board. There are behaviors at different levels of the organization. Someof them can be good for ameliorating risk and others would be very bad and prolonged. How doyou incentivize people? How do you get them to change their behavior when it comes tosecurity, Mary Ann?Mezzapelle: The key is to make it personalized to them or their job, and part of that is theeducation as Jim talked about. You also show them how it becomes a part of their job.Experts dont knowI have a little bit different view that it is so complex that even security professionals don’talways know what the reasonable right thing to do it. So, I think its very unreasonable for us toexpect that of our business users, or consumers, or as I like to say, my mom. I use her as a usecase quite a lot of times about what would she do, how would she react and would she recognizewhen she clicked on, "Yes, I want to download that antivirus program," which just happened tobe a virus program.Part of it is the awareness so that you keep it in front of them, but you also have to make it a partof their job, so they can see that its a part of the culture. I also think its a responsibility of theleadership to not just talk about security, but make it evident in their planning, in theirdiscussions, and in their viewpoints, so that its not just something that they talk about but ignoreoperationally.Gardner: One other area I want to touch on is the notion of cloud computing, doing moreoutsourced services, ﬁnding a variety of different models that extend beyond your enterprisefacilities and resources.Theres quite a bit of back and forth about, is cloud better for security or worse for security? CanI impose more of these automation and behavioral beneﬁts if I have a cloud provider or a singlethroat to choke, or is this something that opens up? Ive got a sneaking suspicion I am going tohear "It depends" here, Jim Stikeleather, but I am going to go with you anyway. Cloud: I cantlive with it, cant live without it. How does it work?
Stikeleather: Youre right, it depends. I can argue both sides of the equation. On one side, Iveargued that cloud can be much more secure. If you think about it, and I will pick on Google,Google can expend a lot more on security than any other company in the world, probably morethan the federal government will spend on security. The amount of investment does notnecessarily tie to a quality of investment, but one would hope that they will have a more secureenvironment than a regular company will have.On the ﬂip side, there are more tantalizing targets. Therefore theyre going to draw moresophisticated attacks. Ive also argued that you have statistical probability of break-in. Ifsomebody is trying to break into Google, and youre own Google running Google Apps orsomething like that, the probability of them getting your speciﬁc information is much less than ifthey attack XYZ enterprise. If they break in there, they are going to get your stuff.Recently I was meeting with a lot of NASA CIOs and they think that the cloud is actuallyprobably a little bit more secure than what they can do individually. On the other side of the coinit depends on the vendor. Ive always admired astronauts, because theyre sitting on top of thisexplosive device built by the lowest-cost provider. Ive always thought that took more braverythan anybody could think of. So the other piece of that puzzle is how much is the cloud provideractually providing in terms of security.You have to do your due diligence, like with everything else in the world. I believe, as we moveforward, cloud is going to give us an opportunity to reinvent how we do security.Ive often argued that a lot of what we are doing in security today is ﬁghting the last war, asopposed to ﬁghting the current war. Cloud is going to introduce some new techniques and newcapabilities. Youll see more systemic approaches, because somebody like Google cant afford toput in 150 different types of security. They will put one more integrated. They will put in, toMary Ann’s point, the control panels and everything that we havent seen before.So, youll see better security there. However, in the interim, a lot of the software-as-a-service(SaaS) providers, some of the simpler platform-as-a-service (PaaS) providers haven’t made thatkind of investment. Youre probably not as secured in those environments.Gardner: Mary Ann, do you also see cloud as a catalyst to a better security either fromtechnology process or implementation?Lowers the barrierMezzapelle: For the small and medium size business it offers the opportunity to be moresecure, because they dont necessarily have the maturity of processes and tools to be able toaddress those kinds of things. So, it lowers that barrier to entry for being secure.For enterprise customers, cloud solutions need to develop and mature more. They may want todo with hybrid solution right now, where they have more control and the ability to audit and to
have more inﬂuence over things in specialized contracts, which are not usually the businessmodel for cloud providers.I would disagree with Jim in some aspects. Just because there is a large provider on the Internetthat’s creating a cloud service, security may not have been the key guiding principle indeveloping a low-cost or free product. So, size doesnt always mean secure.You have to know about it, and thats where the sophistication of the business user comes in,because cloud is being bought by the business user, not by the IT people. Thats anothercomponent that we need to make sure gets incorporated into the thinking.Stikeleather: I am going to reinforce what Mary Ann said. Whats going on in cloud space isalmost a recreation of the late 70s and early 80s when PCs came into organizations. Its thebusinesspeople that are acquiring the cloud services and again reinforces the concept ofgovernance and education. They need to know what is it that theyre buying.I absolutely agree with Mary. I didnt mean to imply size means more security, but I do think thatthe expectation, especially for small and medium size businesses, is they will get a more secureenvironment than they can produce for themselves.Gardner: Jim Hietala, were hearing a lot about frameworks, and governance, and automation.Perhaps even labeling individuals with responsibility for security and we are dealing with somechangeable dynamics that move to cloud and issues around cyber security in general, threatsfrom all over. What is The Open Group doing? It sounds like a huge opportunity for you to bringsome clarity and structure to how this is approached from a professional perspective, as well as aprocess and framework perspective?Hietala: It is a big opportunity. There are a number of different groups within The Open Groupdoing work in various areas. The Jericho Forum is tackling identity issues as it relates to cloudcomputing. There will be some new work coming out of them over the next few months that layout some of the tough issues there and present some approaches to those problems.We also have the Trusted Technology Forum (TTF) and the Trusted Technology ProviderFramework (TTPF) that are being announced here at this conference. Theyre looking at supplychain issues related to IT hardware and software products at the vendor level. Its very much anindustry-driven initiative and will beneﬁt government buyers, as well as large enterprises, interms of providing some assurance of products theyre procuring are secure and good commercialproducts.Also in the Security Forum, we have a lot of work going on in security architecture andinformation security management. There are a number projects that are aimed at practitioners,providing them the guidance they need to do a better job of securing, whether its a traditionalenterprise, IT environment, cloud and so forth. Our Cloud Computing Work Group is doing workon a cloud security reference architecture. So, there are number of different security activitiesgoing on in The Open Group related to all this.
Gardner: What have you seen in a ﬁeld in terms of a development of what we could call asecurity professional? Weve seen Chief Security Ofﬁcer, but is there a certiﬁcation aspect toidentifying people as being qualiﬁed to step in and take on some of these issues?Certiﬁcation programsHietala: There are a number of certiﬁcation programs for security professionals that exist outthere. There was legislation, I think last year, that was proposed that was going to put somerequirements at the federal level around certiﬁcation of individuals. But, the industry is fairlywell-served by the existing certiﬁcations that are out there. Youve got CISSP, youve got anumber of certiﬁcation from SANS and GIAC that get fairly specialized, and there are lots ofopportunities today for people to go out and get certiﬁcations in improving their expertise in agiven topic.Gardner: My last question will go to you on this same issue of certiﬁcation. If youre on thebusiness side and you recognize these risks and you want to bring in the right personnel, whatwould you look for? Is there a higher level of certiﬁcation or experience? How do you knowwhen youve got a strategic thinker on security, Mary Ann?Mezzapelle: The background that Jim talked about CISSP, CSSLP from (ISC)2, there is also theCISM or Certiﬁed Information Security Manager that’s from an audit point of view, but I dontthink theres a certiﬁcation that’s going to tell you that theyre a strategic thinker. I started out as atechnologist, but its that translation to the business and its that strategic planning, but applying itto a particular area and really bringing it back to the fundamentals.Gardner: Does this become then part of enterprise architecture (EA)?Mezzapelle: It is a part of EA, and, as Jim talked, about weve done some work on The OpenGroup with Information Security Management model that extend some of other businessframeworks like ITIL into the security space to have a little more speciﬁcity there.Gardner: Last word to you, Jim Stikeleather, on this issue of how do you get the right people inthe job and is this something that should be part and parcel with the enterprise or businessarchitect?Stikeleather: I absolutely agree with what Mary Ann said. Its like a CPA. You can get a CPAand they know certain things, but that doesnt guarantee that you’ve got a businessperson. That’swhere we are with security certiﬁcations as well. They give you a comfort level that thefundamental knowledge of the issues and the techniques and stuff are there, but you still needsomeone who has experience.At the end of the day its the incorporation of everything into EA, because you cant bolt onsecurity. It just doesnt work. That’s the situation were in now. You have to think in terms of theframework of the information that the company is going to use, how its going to use it, the valuethat’s associated with it, and thats the deﬁnition of EA.
Gardner: Well, great. We have been discussing the business risk around cyber security threatsand how to perhaps position yourself to do a better job and anticipate some of the changes in theﬁeld. I’d like to thank our panelists. We have been joined by Jim Hietala, Vice President ofSecurity for The Open Group. Thank you, Jim.Hietala: Thank you, Dana.Gardner: Mary Ann Mezzapelle, Chief Technologist in the Ofﬁce of the CTO for HP. Thankyou.Mezzapelle: Thanks, Dana.Gardner: And lastly, Jim Stikeleather,Chief Innovation Ofﬁcer at Dell Services. Thank you.Stikeleather: Thank you, Dana.Gardner: This is Dana Gardner. You’ve been listening to a sponsored BrieﬁngsDirect podcast inconjunction with The Open Group Conference here in San Diego, the week of February 7th,2011. I want to thank all for joining and come back next time.Listen to the podcast. Find it oniTunes/iPod and Podcast.com. Download the transcript. Sponsor:The Open GroupTranscript of a sponsored podcast panel discussion from The Open Group 2011 U.S. Conferenceon how enterprises need to change their thinking to face cyber threats.You may also be interested in: • Examining the Current State of the Enterprise Architecture Profession with the Open Groups Steve Nunn • Infosys Survey Shows Enterprise Architecture and Business Architecture on Common Ascent to Strategy Enablers • The Open Groups Cloud Work Group Advances Understanding of Cloud-Use Beneﬁts for Enterprises