This ebook outlines the changing threat landscape and what CEOs need to understand about the evolving nature of threats in order to take protective measures and stay on top. In this ebook, Pat Clawson, CEO of Lumension, provides straight talk about a topic that can very well impact your bottom line and the ability of your business to deliver its product to customers.

1. 7 THINGS
Every CEO Should Know
About Information Security
Policy and
Process Reign
Supreme
The Costs
of Ignoring
Security
Emergence of
the Borderless
Enterprise
Security is a
Boardroom
Issue
Traditional
Security No
Increasing
Longer Works
Insider
Threats
Well-Organized
& Focused
Cybercriminals

2. TAblE Of CONTENTS
7 Things EvERY CEO SHOULd KNOW ABOUT INFORMATION SECURITY
Unless you’ve been living under a rock, you If that sounds like your organization, then keep reading. Hopefully, once you’ve
1. Security is a Boardroom
probably realize what a hot-button issue finished this ebook, you’ll see how important your role is in maintaining a secure
Issue
information security has become for the modern environment, why it isn’t a good idea to cross your fingers and hope the tech guys
enterprise. Maybe you’ve already mobilized a C- have everything under control and why compliance with security regulations won’t
level security executive to develop a comprehensive solve all of your problems.
2. The Costs of Ignoring
security program, maybe you’ve just asked your
Security
CIO to get a handle on things, or maybe you’re just As a CEO, I understand the complexities and nuances of leading an organization
fantasizing that security incidents can’t possibly to profitability and success. And as an expert in the security industry, I also have 3. Well-Organized &
happen to a company like yours. Either way, you a clear picture of how the very best businesses protect themselves. These two Focused Cybercriminals
probably recognize the magnitude of trouble companies face when a breach, perspectives put me in a good position to talk to you—CEO to CEO—about the
caused by their practices, hits The Wall Street Journal. And like many CEOs, you at least most important components of information security and why you should know 4. Increasing Insider
have an inkling that your company has room to improve its security practices. about them. There’s no marketing mumbo-jumbo here, just straight talk about a Threats
topic that can very well impact your bottom line and the ability for your business to
Currently, there exists a troubling disconnect between information security deliver its product to customers.
5. Emergence of the
personnel and top decision-makers within the enterprise. According to last year’s
Pat Clawson Borderless Enterprise
Ernst and Young global security survey, almost one-third of information security
professionals never meet with their board of directors, and most meet less than Chairman & CEO, Lumension Security™, Inc.
6. Traditional Security No
once a quarter with their corporate officers and business unit leaders.
Longer Works
7. Policy and Process
Reign Supreme
Conclusion: The Security
Role of the CEO
2

3. 7 THINGS EvEry CEO SHOuld KNOw
AbOuT INfOrmATION SECurITy
1. securiTy is a Boardroom issue
Contrary to what some CEOs may think, information security is absolutely a Clearly, your peers are standing up and listening because their feet are being held
boardroom issue. Even though it sometimes may seem as if security issues end up to the fire by regulators. In some ways, this can be a good thing. It has definitely
being mired in technical details, it is clear that ignoring them altogether can impact helped bump up overall awareness of security topics amongst the C-suite. As one of
the bottom line, the brand and shareholder value. These aren’t technology issues; my customers puts it, his department is starting to finally get the input he believes
these are core business issues. information security personnel should have.
If a business chooses not to set security policies, or sets them so loosely that they “In the last few years, I’ve started to see a change. Traditionally, we’d be ignored,”
suffer a highly publicized he says. “Even if you’re a C-level person, you never really got the inclusion that the
If a business chooses not to attack, it could find itself rest of the C-suite did. That’s starting to change. I find my department becoming
set security policies or sets ostracized by its largest included in more business decisions. Anytime people are looking to do their due
customers and partners. diligence in acquisitions and mergers, we’re consulted.”
them so loosely that they These types of risks are Lumension Security’s Chairman and CEO Pat Clawson sits
suffer a highly publicized boardroom issues and down to provide executive-level insight into effective and
64% of corporate executives reported data-centric corporate security.
attack, it could find itself they should be discussed
by you and your advisors, compliance as the principal information
ostracized by its largest no matter what their
security driver.
customers and its partners. technical background
looks like.
But compliance as a security driver is a double-edged sword. According to John
Currently, most executives only focus on security in relation to complying with Pescatore, analyst with Gartner Research, executives and board members should not
security regulations such as HIPAA, Sarbanes-Oxley and PCI data Security be so quick to throw their security spend on compliance efforts.
Standards. In last year’s 10th annual Ernst & Young global information security
survey, approximately 64 percent of corporate executives reported compliance as the “Really, it is dangerous to hang your hat on compliance as a justification for
principal information security driver. everything,” Pescatore says. “From a boardroom point of view, we think security
should be protection-driven, not compliance-driven.”
3

4. GuIdANCE fOr
bOArdS Of dIrECTOrS
The way he sees it, compliance fines pale in comparison to the cost of an actual Executives need to oversee a security program that meshes the security needs of their
security incident that can occur when proper precautions are not put into place. If an specific organization with the demands of regulators to prove security. They need to “To achieve effectiveness and sustainability in today’s
otherwise compliant organization misses a certain piece of the security puzzle, not recognize that the organization has an ultimate responsibility to secure its data and complex, interconnected world, security over information
assets must be addressed at the highest levels of the
included in “XYZ” regulations, and suffers a “denial of service” attack, then it stands that of its customers.
organization, not regarded as a technical specialty
to lose a lot more in lost revenue than if it had been secure but non-compliant. relegated to the IT department.
Implementing effective security governance and defining
CEOs really need to eliminate the mentality that being compliant with regulations
Executives need to oversee a security the strategic security objectives of an organization are
means their organizations are secure. Compliance is a measurement against complex, arduous tasks. They require leadership and
regulatory standards, not necessarily a measurement of overall security. Look at
program that meshes the security needs ongoing support from executive management to succeed.
the recent breach at New England’s Hannaford Brothers grocers. In that case, the of their specific organization with the Developing an effective information security strategy
requires integration with and co-operation of business
company claimed that it was PCI compliant when the incident occurred. Even if this
claim was true, compliance didn’t shield Hannaford in the court of public opinion—
demands of regulators to prove security. unit managers and process owners.
A successful outcome is the alignment of information
and it won’t shield your organization if something similar happens to you. security activities in support of organizational objectives.
“What I tell CEOs is make sure your security program is protecting your customers The extent to which this is achieved will determine the
In my opinion, there is definitely a wide-scale wake-up call that still needs to happen effectiveness of the information security program in
and protecting your business. Then give the auditors what they need for you to
at the executive level in regards to this security compliance misconception. meeting the desired objective of providing a predictable,
demonstrate compliance,” Pescatore says. “decide what controls are needed to defined level of management assurance for business
protect the business and customer data and then add some additional reporting processes and an acceptable level of impact from
functions that demonstrate compliance for all of them.” adverse events.”
Information Security Governance: Guidance for Boards
This is not only a safer and saner way of doing things, it is usually cheaper to boot. of Directors and Executive Management, IT Governance
Institute, 2006
4

5. CuTTING THE COST Of COmplIANCE
wITHOuT COmprOmISING SECurITy
2. The cosTs of ignoring securiTy
Many of the most publicized security failures in recent years can be attributed to proceedings can put a big dent in the bottom line. Add to that the cost of litigation,
short-sighted leadership decisions to save a few bucks on security in the short term. regulatory punitive fees and the cost of consultants to perform an investigation of
Take TJX’s (TJ Maxx) record breach of 94 million customer records—it all came as a the breach and it becomes clear why breaches cost so much. The shame of it all is
result of an upper level management directive to wait on upgrading wireless security. that once this money has been laid out, the new scrutiny you’ll face will force your
company to spend more on the security program you should have implemented in
the first place. Why not spend that money up front and avoid all of those millions in
Why not spend that money up front breach costs?
and avoid all of those millions in The largest cost associated with ignoring security, however, still may not be
breach costs? completely quantifiable. The loss of brand equity is a huge risk posed by lax
security practices, one which many CEOs need to address. Brand is the bedrock
As a CEO, what risk to the bottom line are you willing to assume for the sake of upon which most major enterprises build. When that bedrock cracks, many Pat Clawson sits down to discuss the biggest compliance
saving a few dollars in the coming years’ budgets? In TJX’s case, they’ve paid businesses have a hard time recovering. challenges and how organizations can effectively address
hundreds of millions of dollars as a result of the breach—many, many times the compliance.
amount it would have cost to upgrade their technology and practices. Remember ValuJet? The high-flying discount airliner had a quality brand in the mid-
1990s until one of its jets crashed into the Everglades in 1996. The disaster proved
Last year, one of the security gurus with Forrester Research took a quantitative look
at just how much poor security practices were costing enterprises. Analyst Khalid
Kark found that the average security breach can cost a company between $90 and ...they’ve paid hundreds of millions
$305 per lost record. The financial effects can be staggering for a company with
millions of customers.
of dollars... many, many times
the amount it would have cost to
Kark used a number of very real factors to come up with this projection. First of all,
data breach legislation in most states now puts companies on the hook to disclose
upgrade technology and practices.
any data breach to those affected. Just the sheer cost of going through notification
5

6. wHAT I wISH my CEO
KNEw AbOuT SECurITy…
so damaging to the valuJet brand that the company had to buy AirTran for In a 2006 study conducted by the CMO Council, over 50 percent of consumers said
its identity and completely purge the valuJet brand from its corporate memory. they would either strongly consider or definitely take their business elsewhere if their “The most difficult part of being a CSO or CISO is
personal information were compromised by a business. Even more disconcerting, getting CEOs and CFOs to understand that IT security is
Granted, a large security breach will rarely result in the loss of human life. But a part of life, just like fire and flood insurance. You hope
more than half of business executives said they would either consider or would
you never need to use it, but if you don’t have it and you
the valuJet incident still offers a stark lesson in how corporate negligence can recommend taking their business elsewhere if a business partner suffered a security have a fire, you can lose everything. If you don’t have a
destroy a brand. breach that compromised their corporate or customer data. strong information security practice in place, the same
thing can happen.
If a large bank is found to be at fault for not protecting its data assets, and customer Interestingly, the CMO Council study also found 60 percent of marketers believe that Support is key, and if you work with your CEO and help
information is spread around the world, the event will hit the news. In turn, that security and IT integrity offer an opportunity for brand differentiation. Yet 60 percent him or her understand what value IT security has on
organization the big picture, this will go a long way in gaining the
of these same marketers said security has not become a more significant theme in
Clearly, executives who choose will lose their company’s messaging and marketing communications.
support of different business divisions. If you educate
everyone from the top down, it helps tremendously.”
brand equity,
to ignore security are not only lose existing Clearly, executives who choose to ignore security are not only gambling their
Richard Linke, Vice President and CSO for Global
Security Management Inc.
gambling their company’s customer company’s brand and good name, they’re also losing an opportunity to differentiate
brand and good name, they’re loyalty, and will
have a harder
themselves from the rest of the crowd.
also losing an opportunity to time drawing
differentiate themselves from new customers
with its now-
the rest of the crowd. damaged
reputation. The
same goes for health care companies, insurance companies, big retail chains, you
name it.
6

7. CybErCrImE ECONOmy
3. Well-organized & focused cyBercriminals
CEOs really need to stop deluding themselves and understand that their information The enormous payouts from such antics have driven cybercriminals to dial up their Cybercrime has grown into an extremely mature black
market with major players often employing more
is worth being stolen. If your data is poorly protected, your business is essentially risk thresholds and their ingenuity levels. “Cybercrime today is targeted, it hits
sophisticated business methods and partnerships than
just setting out gold bars in an unprotected window so that any opportunistic bad deeply, it tries to be stealthy, rarely making the news, and often those attacks on a many legitimate businesses. Tom Espiner with CNET
News.com wrote a particularly illuminating summary of
guy can come and take what he likes. Some of the “gold bars” are different for each damage-per-incident level are 10 to 50 times higher than the costs of things like the
the cybercrime ecosystem in his article, “Cracking Open
business–perhaps secret recipes for food manufacturers, blueprints for engineering Slammer worm and other high-profile attacks we used to see,” says John Pescatore, the Cybercrime Economy,” published Dec. 14, 2007:
firms, programming code for software developers. Other “gold bars” transcend analyst with Gartner Research. “It’s way higher than what a simple virus used to cost “Hackers can buy denial-of-service attacks for $100
industry verticals. Every business risks confidential information about partners, us.” per day, while spammers can buy CDs with harvested
e-mail addresses. Spammers can also send mail via
sensitive customer data and potential sales leads when they don’t shore up security. spam brokers, handled via online forums such as
In 2007, the U.S. Government Accountability Office estimated that cybercrime costs specialham.com and spamforum.biz. In this environment,
$1 buys 1,000 to 5,000 credits, while $1,000 buys 10,000
The cat is out of the bag that all of these data tidbits are worth a considerable the economy $117.5 billion a year. And yet, I still hear CEOs ask, “What would they
compromised PCs.
amount to competitors and identity thieves—most modern hackers already realize want with my organization? They’ve got better targets to attack. It’s not like I’m a
Carders, who mainly deal in stolen credit card details,
this and are well on their way to figuring out how to steal yours without you even Fortune 500 company.” openly publish prices, or engage in private negotiations
to decide the price, with some sources giving bulk
knowing it.
discounts for larger purchases. The rate for credit card
That thinking is all wrong. The thing is that most hackers are smart enough to
details is approximately $1 for all the details down to the
See, it used to be that the bad guys in cybercrime were simple script kiddies, just recognize that smaller companies don’t spend the kind of money and effort securing Card Verification Value (CVV); $10 for details with CVV
linked to a Social Security number; and $50 for a full
in it for the rush of defacing company property and getting their props from news their information that the big boys do. If you aren’t spending on security, then you
bank account.
reports. Their attacks were meant to be visible, so it was very clear when they become the better target to attack.
Scammers use a variety of ways to launder cash.
occurred. But money changed all of that—hackers saw a dollar sign attached to the Compromised bank accounts can be used to launder funds,
Think about it. If I’m a hacker planning to make some money by selling personal or struggling companies can be bribed to turn the money
technical feats they could accomplish and they switched gears. Nowadays, the crooks
into ready cash. Scammers can find businesses with a debt
are trying to fly under the radar, sneaking in to pillage data stores undetected so they identifiable information to an identity thief, who would I rather attack? A large
of $10,000, and agree to pay them $20,000 if they agree to
multinational bank that likely has billions of dollars invested in information security? cash out 50 percent of the funds. Dedicated cashiers, also
can do it again and again to the same target-rich environments. In poorer Eastern
known as “money mules,” can also take up to 50 percent of
Bloc countries, hacking corporate systems is a job for some people. They go to work Or a small credit union that probably hasn’t fully secured its systems? It’s like asking
the funds to move the money via transfer services.
and hack American companies for other companies or for well-organized crime rings a burglar whether he’d rather sneak into a house with unlocked doors or crowbar his
Money can also be laundered by buying and selling
perpetuating identity theft. way into a deadlocked home. He’ll pick the unlocked house every time. merchandise on the wider black market. Shipper rings
can ship PCs to scammers via intermediaries, which can
then be resold.“
7

8. dEbuNKING THE mOST COmmON
myTHS AbOuT dATA prOTECTION
4. increasing insider ThreaTs
It isn’t just those well-funded adversaries outside the business that you, as a CEO, It happens all of the time, and in many cases the damages can be in the hundreds
must worry about either. There are also numerous threats much closer to home— of millions of dollars. In February 2007, it came out that a senior chemist at
literally inside the business. duPont stole $400 million worth of data and tried to leak it to a third party. In just
a six month period, this trusted employee downloaded about 22,000 abstracts and
According to Gartner analysts, 70 percent of the security incidents that cost 16,700 documents. He was eventually ferreted out by duPont’s IT staff and taken to
enterprises money involve insiders in some way or another. Companies often spend so trial for his transgressions—but for every one of those caught there are many more
much time and money worrying about threats outside the enterprise walls they often who actually get away with it.
forget about the dangers that lurk within. The risks posed by employees and trusted
partners can run from out-and-out fraud, all the way down to simple user errors that As a CEO, I understand that trust
cause system insecurity and open them up to attack. Typically, both are caused by is an important part of running
...70% of the security
lack of controls and poor oversight of employee computer activities. a business. But I also realize incidents that cost
that while I can trust people up
enterprises money Lumension Security’s Senior Vice President of Business
to a certain extent, I have to set Development Rich Hlavka sits down to debunk the most
The risks posed by employees and boundaries around trust. involve insiders... common myths about data protection
trusted partners can run from out- Just as a company wouldn’t think twice about auditing the books and double-
and-out fraud all the way down to checking ledgers, it should be standard practice to keep track of access to valuable
data assets and risky computing activities that could cost the business a mint.
simple user errors that cause system
insecurity and open them up to attack. Too many companies choose not to monitor employee interaction with intellectual
property and sensitive data, and eventually pay a steep price for their lack of
verification. And even those who choose to monitor general staff forget to watch the
Especially damaging are the cases of intentional theft when employees remain waters, leaving IT administrators with far more account access privileges than their
unmonitored or have unconrolled access to sensitive data or systems. jobs require. Besides, even the most trustworthy insiders are capable of triggering a
security event that can send a business reeling.

9. dId yOu KNOw ?
“The insider threat hasn’t gone up; there have always been dishonest employees,” does your organization
does it have a way of
Pescatore says. “What has gone up, and what the real insider threat is employees have a way of tracking how Most insider events are triggered
trying to do their jobs using technology that we didn’t first make safe. And then, information is being copied protecting the data at by a negative event in the workplace.
oops, information is either accidentally exposed or left open such that a fairly simple and transported? does it
rest, in motion and in use? Most perpetrators had prior disciplinary issues.
cyber attack can get to it. That represents thr majority of growth of insider incidents.” have a way of protecting Most insider events were planned in advance.
data at rest, in motion and in use? As a CEO, you should at very least know the
Up to 87 percent of attacks didn’t require
Some employees may not know they are doing anything wrong. They’re just doing answer to those questions, because your job very well may depend on it. advanced technical knowledge.
what they think needs to be done to do their job. Everyone within the security field
Approximately 30 percent of incidents happened
has heard of numerous cases of people copying sensitive databases to their mobile Because employees and trusted partners with access to your information will take
at the insider’s home through remote access.
devices and bringing them home from work. It happens every day, and every day risks if they aren’t aware of them, education plays a big part in curbing insider threat.
From the Insider Threat Study conducted by the National
Education is huge because simply telling errant employees not to do something Threat Assessment Center of the U.S. Secret Service and
does your organization have a way doesn’t always have the desired effect. People sometimes justify bad behavior when
they are under-the-gun; they think, “I’ll just do it this once,” or “They didn’t really
the Software Engineering Institute at Carnegie Mellon
University, 2005
of tracking how information is being mean it when they said not to do this.” It is the job of your information security
copied and transported? department to educate users and make sure they understand why taking certain
actions puts the business at risk. And it is your job as the CEO to back up the Chief
Information Officer (CIO) and to really emphasize the stakes at hand. Often the only
that your employees do this, they are putting your organization at serious risk. If that way employees will listen is if the directive comes from the top, so give your infosec
device is lost or stolen, you face a serious breach with all of those costs I mentioned personnel some support.
earlier.
Education can’t do it alone, however. The only way to truly keep insiders to their word
is through automated policy enforcement, smart monitoring technology and effective
use of account restrictions.
9

10. mObIlE dEvICES —
THE NEw mObIlE THrEAT
5. emergence of The Borderless enTerprise
Many business-side leaders don’t fully appreciate all of the holes and points of Plus, as I just mentioned, you have got lots of potential “bad apple” employees who
weakness that exist in their network today. They figure that after green lighting are automatically allowed access inside network boundaries. It has gotten to the
the CIO to spend buckets of money on firewalls and other network defenses, the point where there isn’t an impenetrable border around the enterprise anymore.
organization should be pretty well fortified against assault. The problem is that
since that money has been spent, the enterprise has changed and the CIO has
been forced to change the technology that supports the business. In this age of Nearly 75 percent had off-line devices
super-connectivity, they’ve been asked to provide more ways to give employees and
partners access to information.
lost or stolen in the last two years and
of those 42 percent involved the loss of
In the process, insecure systems
that were never meant to be
sensitive information.
In this age of connected to the Internet are
Lumension Security’s Vice President of Security
now online. Information portals Unfortunately, most businesses have been unable to adjust their security programs
super-connectivity, CIOs are poking holes in the network to account for this borderless enterprise. In a study of 735 CIOs conducted by the
Technologies, Chris Andrew, sits down to discuss how
security has moved beyond the endpoint with the
have been infrastructure all over the place, Ponemon Institute in 2007, more than 60 percent of them said their organizations convergence of business and personal tools.
data is leaving the network on still place more importance on network security issues than any other. Approximately
asked to provide portable storage devices, and 62 percent said their off-network controls are not “rigorously managed.” And yet,
more ways to give mobile devices are enabling 62 percent said that they have a lot of unprotected confidential information on off-
employees and partners people to move outside the
network with sensitive data while
network systems. This assumption of risk has lead to a much higher rate of incidents
involving those off-line devices—nearly 75 percent of the managers surveyed had one
access to information. coming back onto the network of these devices lost or stolen in the last two years, and of those, 42 percent involved
with infected systems. the loss of sensitive information.
10

11. wHAT I wISH my CEO
KNEw AbOuT SECurITy…
These numbers aren’t meant to scare you. I’ve brought them to light so that you
understand why your CIO keeps knocking on your door to talk about data protection— “For me, it’s got to be the application level security
these days, that is the name of the game in security. Executives today must recognize that and code-security. In our company and a lot of
companies, security is still seen as an IT process, you
security is no longer about fortifying the network, it’s about protecting the data. We’ve
do some IT things, development does their things.
already established that the crooks aren’t looking to simply break your network. They want Making the argument that code security, revision
to get their grubby little hands on your data. control are so absolutely important that often times
they can be the invalidation of all the controls that
I’ve put around things.
Executives today must recognize that security is no longer If someone screws up and makes a code error, it’s now
about fortifying the network, it’s about protecting the data. dumping your databases to the Internet. So, that’s
going to become one of the next hot items – database
and web application security in multiple ways. Getting
some kind of insight into your code’s security is very
These bad guys are no dummies—they know how to exploit holes in the network and how important. It’s not being properly communicated
by anyone at this point. Mostly because people
to take advantage of offline systems and endpoints in order to gain future access to your
don’t have a hard grasp of the application threat
data stores. If the endpoints and the data are protected, it becomes a lot harder for the landscape. There are a few people who understand
criminals to steal information. it, and to my knowledge, they work for their own
companies. They’re independent contractors. They’re
not convincing CEOs that that’s important. A lot of
Your technology leaders must be able to satisfy the needs of your staff and partners to
the other people out there just haven’t gotten it yet.”
access appropriate data while maintaining appropriate control and monitoring of that
William Bell, Director of Security for ECSuite.com
information to ensure it remains safe. In the end, organizations need to make sure they’re
not giving away too much free access at the expense of the company’s well being.
11

12. HOw TO mAKE wHITElISTING
OpErATIONAlly EffICIENT
mANAGEAblE
6. TradiTional securiTy no longer Works
So now that the climate has changed and we operate within a borderless enterprise, Executives must have their technical staff focus on the squishy center that exists
it is imperative for company and technology leadership to realize that the security inside that perimeter exoskeleton they’ve built up over the years. Otherwise, crafty
model they’ve depended on for so many years is broken. bad guys are going to attack from the inside out.
Simply installing antivirus and firewall perimeters no longer helps businesses Think about it, with all of your employees demanding connectivity online and
effectively defend themselves. There are too many ways around the network online portals directing customers and partners to data from the outside, there
perimeter. Those well-funded criminals I already talked about are using clandestine are loads of little back doors leading directly into networked data stores. And if
code that cannot be detected by mass-marketed antivirus software, that only offers
protection from known attacks.
Why attack the network directly when
That’s not to say that these older technologies no longer have a place in the I could simply get an employee to visit
enterprise. They still do a reasonable job protecting enterprises from old attacks and
act as a good, existing first layer of defense.
an infected website that will load a Lumension Security’s Senior Vice President of Americas,
Trojan onto their system and will grant Matt Mosher sits down to discuss the advancements in
Endpoint Security with Operational Whitelisting.
“The real key is figuring out how to make the perimeter security less expensive and
then be able to deal with where the threats are starting to bypass the traditional
me access into their system and into
forms of security,” says Pescatore, “because there are new forms of attacks and there wherever it is connected?
are always these waves of old attacks that come back.”
We recently had a customer say to us, “I can’t tell you how many of my peers find I’m a bad guy, why would I try to go through the fortified front door when I can
it easy to fund and implement perimeter security, but find it harder to do so for the just waltz through the back door and ride the wave of connectivity directly to your
needed internal security.” most valuable data? Why attack the network directly when I could simply get an
employee to visit an infected website that will load a Trojan onto their system and
will grant me access into their system and into wherever it is connected?
12

13. vulNErAbIlITy mANAGEmENT
IN A wEb 2.0 wOrld
If you have nothing to prevent that, they’ve already won. They’re establishing an
outbound connection right back to their system which means you’re toast and
your firewall means nothing.
Businesses who have recognized the death of security as they once knew it have
kept their protection programs up-to-date by shifting focus on areas such as internal
network security and monitoring, endpoint security and configuration management.
Most importantly, the most successful security
practitioners have begun to supplement the old guard in
technology with proactive security through whitelisting.
“Both the threat environment has changed and our
Unlike the traditional method of blacklisting the “known priorities have changed so that we really need to get
bad” programs and application, whitelisting only lets the
“known good” execute within the enterprise environment.
into protecting the information itself,” Mogull said. Senior Director of Solutions and Strategy, Don Leatham,
sits down to discuss Vulnerability Management
“So that’s where the concept of information-centric challenges in a Web 2.0 world, and how to defend against
these threats.
security comes from. Which is why people are saying
‘Why don’t we look at the tools and techniques we
need to protect the data and not just protect our
networks?’” - Rich Mogull, Securosis, from March
200 Baseline Magazine article.
13

14. 5 bASIC TENANTS
Of INfOrmATION SECurITy
7. policy and process reign supreme
One of the real dangers of working with technical executives is that some of them As in many other aspects of the business, tools support a solid foundation laid by “Information security governance requires senior
tend to fall so completely in love with certain technologies that they fail to remember effective policies and processes. It is your job as the head honcho to guide your Chief management commitment, a security-aware culture,
promotion of good security practices and compliance
their overarching goals. This particular malady infects a lot of people in security, who Information Security Officer (CISO) to make sure he or she isn’t using technology as
with policy. It is easier to buy a solution than to change a
unfortunately focus on buying and implementing tools they view as a panacea. an ineffective crutch. culture, but even the most secure system will not achieve
a significant degree of security if used by ill-informed,
As a CEO, you probably already know that there’s no product in the world that can “So if every time there’s a problem and the only thing your CISO is suggesting is untrained, careless or indifferent personnel.
completely solve a complex business problem. It is no less true for information technology, you should poke ‘em with a stick,” Pescatore says. “You should say, ‘Wait Information security is a top-down process requiring a
security than anything else in the business. a minute, where’s the process change or the other things that always have to go with comprehensive security strategy that is explicitly linked to
the organization’s business processes and strategy. Security
technology to make it work?’”
“...we have to set up a security policy must address entire organizational processes, both physical
and technical, from end to end.
that finds the right balance between These “other things” need to include risk assessment, standardized procedures,
The five basic outcomes of information security governance
boundary setting around what employees should and shouldn’t be doing with systems
overreacting and exposing your and data, and also setting baselines on how systems are configured. From there, the
should include:
1. Strategic alignment of information security with business
system to any and every hack.” technology can monitor and enforce all of those policies and procedures, providing
strategy to support organizational objectives
reporting to prove to the auditors that everything is working.
2. Risk management by executing appropriate measures to
“Information security by technical means is not sufficient and needs to be supported
manage and mitigate risks and reduce potential impacts on
by policies and procedures,” wrote Chaiw Kok Kee in a SANS Institute whitepaper information resources to an acceptable level
on security policies. “Security polices are the foundation and the bottom line of 3. Resource management by utilizing information security
information security in an organization. Depending on the company’s size, financial knowledge and infrastructure efficiently and effectively
resources and the degree of threat, we have to set up a security policy that finds the 4. Performance measurement by measuring, monitoring and
right balance between overreacting and exposing your system to any and every hack.” reporting information security governance metrics to ensure
that organizational objectives are achieved
5. Value delivery by optimizing information security
investments in support of organizational objectives”
Information Security Governance: Guidance for Boards
of Directors and Executive Management, IT Governance
Institute, 2006
14

15. wHAT I wISH my CEO
KNEw AbOuT SECurITy…
If your CISO is doing a good job setting policies, the SANS policy guidance suggests “If I could have a CEO
that he or she will be: boot camp, I’d say,
The responsibility “Information security is not simply an IT issue.
‘Make sure you put for security oversight Information security is the responsibility of every
employee beginning with the CEO. Awareness, detection
Identifying all of the assets that need to be protected security top of mind
and policy development and remediation is also everyone’s responsibility. We
Identifying all of the vulnerabilities and threats and the likeliness to all of your direct can invest in tools that will mitigate the risk, and tools
of the threats happening reports: your CFO, your doesn’t rest solely on the to audit how well we are mitigating the risks, but at
CIO, your HR people, CISO’s shoulders, either. the end of the day, it is the individual users who most
significantly impacts the security of information at
deciding which measures will protect the assets in your sales people and an organization. If we start with the idea that the
a cost-effective manner so on,’” Pescatore management of the investment we have in information
says. “For most businesses today, the product is information and security is key. So is of paramount importance, we will make decisions
Communicating findings and result to the appropriate
that ensures its security throughout all levels of the
parties (i.e. you and the board) you have to make sure that your top reports understand that security is part of their
organization. In this way, the products, policies,
evaluation. It’s not just the CIO’s responsibility. It is part of life for every one of your procedures and audits you put in place will not be
Monitoring and reviewing the process for improvement along the way direct reports.” sidestepped, downgraded or ignored for the comfort of
the end user.”
The responsibility for security oversight and policy development doesn’t rest solely
Tony Hildesheim, Vice President of Information Technology
on the CISO’s shoulders, either. As chief executive, you should also be guiding
a program of information security governance that reaches far beyond the IT Washington State Employees Credit Union
department.
As chief executive, you should also
be guiding a program of information
security governance that reaches far
beyond the IT department.
15

16. A prACTICAl ApprOACH
TO IT SECurITy rISKS
conclusion: The securiTy role of The ceo
Obviously, chief executives don’t play a detailed day-to-day role in information The CEO has to be the one that constantly challenges the organization to understand
security. You probably don’t know how to administer a vulnerability scanner, nor its risks and needs to be constantly reviewing security progress as part of the
should you. But understanding security can have such a dramatic effect on an quarterly review process. Are we right on track with initiatives? Have we suffered any
organization’s bottom line, it is clear CEOs need to provide strong leadership incidents lately? Have our competitors? What new threats are cropping up. These
on the matter. are the types of questions that the CEO must ask of the CIO or CISO on a consistent
basis in order to keep that company messaging relevant. It should be an ongoing,
According to many of the CISOs we speak with here at Lumension Security, the only dynamic process instead of one where the CEO is simply the recipient of information.
way to get user buy-in for major infosec initiatives is by relying on support from the
top of the food chain. As a CEO, you have a chance to set a culture of security that
permeates into every silo, department and remote office you maintain.
As our customer Bell puts it, “When it comes from the CEO, it’s a bigger deal than
when it comes from the security officer. You’re going to get more penetration through Pat Clawson discuss how organizations can implement
a practical approach to identifying, prioritizing and
your enterprise. The folks in accounting are going to go, ‘Oh! It’s the CEO!’ They
responding to IT security risks
don’t care about me, but they’ll listen to the CEO. There are a lot of companies with
silos that are so deep these days that the security departments don’t have a lot of
visibility. If you can work to get some kind of company message, it’s helpful.”
16

17. Lumension Security™, Inc.
150 N Greenway-Hayden Loop, Suite 100
Scottsdale, AZ 5260
www.lumension.com
7 Thnigs Every CEO Should Know About Information Security is licensed under a
Creative Commons Attribution 3.0 United States License.