Meraj Ahmad - Information security in a borderless world
Information security in a borderless world<br />Time for a re-think: Transform your security programto improve business performance<br />The 3rd Kuwait Information Security Conference<br />25 - 26 May 2011<br />
Meraj Ahmed<br />Partner, Advisory Services Kuwait<br />Technology Sector Leader, Ernst & Young – Middle East & North Africa<br />Meraj is a partner in Ernst & Young MENA and leads the Technology Sector for this region. <br />He has extensive international experience in IT governance and strategy, technology management and enablement, and IT risk and security, gained during more than 25 years of advisory services experience, of which 15 have been in regional leadership roles,. He has worked widely within the public/government, financial and telecom sectors.<br />Meraj earned his MBA from the Wharton Business School, University of Pennsylvania, and has been a speaker at numerous international and regional seminars and conferences.<br />
Introduction<br />Over the last year, we have witnessed a significant increase in the use of external service providers and the business adoption of new technologies such as cloud computing, social networking and Web 2.0. <br />We have also seen technology advances that have provided an increasingly mobile workforce with seemingly endless ways to connect and interact with colleagues, customers and clients. Together, these changes are extending the enterprise, blurring the lines between home and office, co-worker and competitor and removing the traditional enterprise boundaries. <br />It is within this changing business environment that our 2010 Global Information Security Survey specifically examines how organizations are adapting and addressing their information security needs. <br />
Insights on information security<br />60% of organizations see increased risk from using social networking,cloud computing and personal mobile devices at work.<br />While only 52% of organizations indicate data leakage is a top “new”increased risk.<br />87% of organizations believe the damage to reputation and brand is themost significant issue related to data loss.<br />Yet, only 10% of respondents indicated that examining new and emergingtrends is a very important activity for the information security function.<br />However, 61% are not making policy adjustments or increasing securityawareness to address these new threats.<br />Source – Ernst & Young’s 2010 Global Information Security Survey<br />
Borderless securityNew technology means new risk<br />Given current trends toward the use of such things as social networking, cloud computing and personal devices in the enterprise, have you seen or perceived a change in the risk environment facing your organization? <br />60% of respondents perceived an increase in the level of risk they face due to the use of social networking, cloud computing and personal devices in the enterprise.<br />Shown: percentage of participants<br />
Mobile computingOrganizations are recognizing the increased risks associated with mobile computing and are taking steps to address the issues<br />Compared to the previous year, does your organization plan to spend more, less or relatively the same amount over the next year for the following activities? <br />50% of respondents plan on spending more over the next year on data leakage/data loss prevention technologies and processes.<br />Shown: Percentage of participants<br />
Cloud computingRisks associated with cloud computing are not going undetected and must be addressed before business applications are moved to a public cloud <br />Which of the following “new” or increased risks have you identified?<br />39% of respondentscited the loss of visibility of what happens to company data as an increasing risk when using cloud-based solutions.<br />Note: Multiple responses permitted <br />Shown: Percentage of participants<br />
Social mediaFew companies have thoroughly examined the social media issue and developed an approach that will balance the business opportunity with the risk exposure <br />How important is information security in supporting the followingactivities in your organization? <br />Only 10% of respondents indicated that examining new and emerging IT trends was a very important activity forthe information security function to perform.<br />Shown: Percentage of participants<br />
Our perspective<br />Borderless security<br /><ul><li>Establish a comprehensive IT risk management program that identifies and addresses the risks associated with new and emerging technologies.
Undertake a risk assessment exercise to identify potential exposure and put in place appropriate risk-based responses.
Take an “information-centric” view of security, which is better aligned with the organization’s business and information flows.
Increase the investment in data leakage prevention technologies, encryption and identity and access management solutions — focusing on the people who use the technology.
Gain an understanding of the risks created by the use of new technologies — including technologies adopted personally by employees that may be used for business purposes.
Information security policies should be reviewed and adjusted appropriately to establish the acceptable use and any specific restrictions related to mobile computing devices.
Increase security awareness training activities for the mobile workforce.
Push enterprise security out to end-point devices to protect critical business information and provide better alignment with the organization’s risk profile.
Assess the legal, organizational and technological risks as well as the security issues related to placing information into the public cloud.
Develop a company strategy, a governance model and an operational approach to cloud computing use, including the information security function to help define policies and guidelines.
Set standards and minimum requirements to enable your organization to adopt cloud computing in as secure a manner as possible.
Provide the online communities and social collaboration tools that the new workforce expects, but do so with a view that aligns enterprise requirements with personal responsibility to protect sensitive business information.
Raise security awareness and personal responsibility to levels that have not been achieved before.
Inform every member of the organization on the risks and issues related to social media.</li></ul>Mobile computing<br />Cloud computing<br />Social <br />media<br />
Begin a process to transform your security program<br />Scan internal and external environment<br />Define goals and evaluate posture<br />Develop transformation <br />road map<br />Step 1:Focus on current business drivers relevant to security and privacy <br />Step 5:Identify short-term “wins” and long-term objectives<br />Step 3:Set security transformation goals<br />Step 2:Gain management and external perspective on pressing IT and security/compliance issues<br />Step 4:Diagnose current state vs. goals and identify gaps<br />Step 6: Document expected outcomes, sequence activities and summarize program road map<br />
Transform your security program to improve business / operational performance<br />Protect what matters most<br />Identify the real risks<br /><ul><li>Develop a security strategy focused onbusiness drivers and protectinghigh-value data
Assume breaches will occur —improve processes that plan, protect,detect and respond
Establish and rationalizeaccess control modelsfor applications and information
Define the organization’s overall risk appetiteand how information risk fits
Identify the most important informationand applications, where they reside and who has or needs access
Assess the threat landscape and develop predictive models highlighting your real exposures</li></ul>Enable<br />business performance<br />Security transformation goals<br />Current state<br />Pressing IT andsecurity issues<br />Key business drivers<br />Needed or in-process improvements<br />Short-term<br />Long-term<br /><ul><li>Make security everyone’s responsibility
Don’t restrict newer technologies; use the forces of change to enable them
Broaden program to adopt enterprise-wide information risk management concepts
Set security program goals and metrics that influence businessperformance
Align all aspects ofsecurity (information,privacy, physical and business continuity)with the business
Spend wisely in controls andtechnology — invest more inpeople and processes
Consider selectively outsourcing operational security program areas
Get governanceright — make securitya board-level priority
Allow good security to drivecompliance, not vice versa
Measure leading indicators to catch problems while they are still small
Accept manageable risks that improve performance</li></ul>Sustain an enterprise program<br />Optimizefor business performance<br />
Framework to enable your security programto address business / operational needs<br /> Security risk governance & risk management<br />Risk culture<br />Policy framework<br />Governance<br />Integratedsecurityprogram<br />Key business drivers<br />Integrated capabilities<br />External challenges<br />Internal Audit<br />Compliance<br />Reporting and metrics <br />Business-level performance<br />
Transform your security program to improve business performance<br />Five questions forthe C-suite<br /><ul><li>Do you know how much damage a security breach can do to your reputation or brand?
Are internal and external threats considered when aligning your security strategy to your risk management efforts?
How do you align key risk priorities in relation to your spending?
Do you understand your risk appetite and how it allows you to take controlled risks?
How does your IT risk management strategy support your overall business strategy?</li></ul>Protectwhat matters most<br />Identifythereal risks<br />Enablebusiness performance<br />Sustain<br />an enterprise program<br />Optimize<br />for business performance<br />
Identify the real risks<br />Budget and organize a security program focused primarily on meeting immediate compliance needs<br />Protect the perimeter and keep external threats out<br />Focus on entry points, not exit points. Reactive, internally focused posture leads to constant firefighting mode addressing the latest threat or incident<br />Define the organization’s overall risk appetite and how information risk fits<br />Identify the most important information and applications, where they reside and who has/needs access<br />Assess the threat landscape and develop predictive models highlighting your real exposures<br />What is your organization’s risk culture?<br />Are you detecting and monitoring threats inside and outside the organization?<br />Have you anticipated new technology risks, such as mobile devices, social media and cloud computing?<br />
Protect what matters most<br />Security program budget and organization focused primarily on meeting immediate compliance needs<br />Set goal and expectation to stop all attacks and threats<br />Disproportionate focus on maintaining lower-risk/lower-value security activities<br />User access and roles are set up based on last employee hired<br />Develop a security strategy focused on business drivers and protecting high-value data <br />Assume breaches will occur — improve processes that plan, protect, detect and respond<br />Balance fundamentals with emerging threat management<br />Establish and rationalize access control models for applications and information<br />Have you considered automating security controls?<br />Are you using predictive indicators to analyze seemingly legitimate network activity?<br />Are your resources focused on emerging threats?<br />
Optimize for business performance<br />Various security aspects exist in silos and are driven by compliance only<br />Largest portion of security budget goes to technology solutions<br />Fear of outsourcing anything security-related due to perceived loss of control. This results in the inability to focus on emerging technologies, new threats and new business initiatives<br />Align all aspects of security (information, privacy, physical and business continuity) with the business<br />Spend wisely in controls and technology — invest more in people and processes <br />Consider selectively outsourcing operational security program areas<br />Are you balancing spending money among key risk priorities?<br />Have you investigated the latent functionality of your existing tools?<br />Are you outsourcing any of your information security?<br />
Sustain an enterprise program<br />Security viewed as sub-function of IT with little top management visibility<br />Security program budget and organization focused on meeting immediate compliance needs<br />Security metrics and reporting focused on historic trends. Inordinate time spent on reacting to major incidents<br />Inherent security risk drives priorities. Lack of balanced risk view based on overall acceptable risk appetite<br />Get governance right — make security a board-level priority<br />Allow good security to drive compliance, not vice versa<br />Measure leading indicators to catch problems while they are still small<br />Accept manageable risks that improve performance<br />Are you taking controlled risks rather than striving to eliminate risks altogether?<br />Are your key indicators trailing or leading?<br />
Enable business performance<br />Security viewed as merely a function of the security team<br />Ban emerging technologies (social media, mobile) until they are mature<br />Program focused on perimeter and access management, not on all IT processes or all enterprise information (e.g., business unit, cloud and end-user computing)<br />Security metrics are backward-looking and tactical and not linked to goals, outcomes or strategic business drivers <br />Make security everyone’s responsibility<br />Don’t restrict newer technologies; use the forces of change to enable them<br />Broaden program to adopt enterprise-wide information risk management concepts<br />Set security program goals/metrics that impact business performance<br />Do all of the organization’s stakeholders understand the importance of information security?<br />Is your organization up-to-date with the new technologies hitting the workforce?<br />Does your organization have the right measures to create a scorecard on information security at the enterprise level?<br />