Security is a Myth: The Impossible Job of the CIO


Published on

In this presentation, Christopher Luise, Executive Vice President of ADNET Technologies, LLC, will discuss the common gaps that organizations of all sizes leave open, along with security best practices that are well known, but often overlooked. He’ll show you a day in the life of a CIO on a normal day, and how dramatically it can change the instant a security breach occurs. Don’t miss this opportunity to learn what your biggest weaknesses as an organization might be, and the surprisingly simple ways you can start to make your firm less vulnerable to attack.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • That has to be a true statement, just look at the facts:We have sophisticated security applications to safeguard our data!We have a wealth of mobile devices to make us ever more efficient, both in and out of the office!Employees want to use their own iPhone, iPad, tablet, etc. that they bought and paid for to do company work – we are in the era of BYOD (bring your own device)!Using readily available tools business processes can be easily transformed into streamlined electronic workflows to boost our productivity!We don’t even have to maintain our own systems, we can just put them up in the Cloud!There are tools available to present some of the most complicated business data in easy to understand visual graphical formats – mounds of reports distilled down to simple “dashboards”!With the proliferation the Internet and Social Media, users have become more computer savvy than ever before!
  • So, do you feel that managing IT is easier in 2012 than it has been in the past? I know I don’t and for good reason. First, let’s look at what every CEO, CFO and CIO is thinking about:How do I keep my data secure? – From compliance issues, to internal and external threats, what are the risks and how do I mitigate them?How can I get more from my IT investment? – IT is a major investment, how can I get more from this investment and be more competitive? I need to be successful in IT to win.How do I manage all this technology?
  • So, do you feel that managing IT is easier in 2012 than it has been in the past? I know I don’t and for good reason. First, let’s look at what every CEO, CFO and CIO is thinking about:How do I keep my data secure? – From compliance issues, to internal and external threats, what are the risks and how do I mitigate them?How can I get more from my IT investment? – IT is a major investment, how can I get more from this investment and be more competitive? I need to be successful in IT to win.How do I manage all this technology?Security, getting more from your investment and managing the technology – with all the tools available to us, why wouldn’t our jobs be easier? Simply put, the world got a whole lot more complicated and to be successful in your industry means succeeding at technology as well. The stakes are just higher. And yes, we have a multitude of choices at our disposal to solve nearly any problem. But, which ones do we choose? Where does hype separate from reality? Which ones will be around tomorrow? Are their compliance issues? How does this affect my people? What is my exposure?
  • The goal of WorkSmart is to address some of the trends occurring in our more complex world.How do we work differently in today’s world?---- Source: Australian School of Business 4/7/2010 via the web knowledge@Australian School of BusinessConsider the business sector. There is clearly more regulation and competition in today’scorporate world, but there are also advantages such as the presence of the internet,enterprise systems and access to more information. In some respects, therefore, the roleof chief executives and managers may have actually become easier. Steve Vamos,president of the Society for Knowledge Economics (SKE) and the former chief executive ofMicrosoft Australia, suggests some aspects of business are more complex in anenvironment that is more connected and subject to rapid change. As a result, he sayshierarchical approaches to management and command-and-control leadership styles areless relevant. “They are not optimised for this new world. So, if there is complexity, it’sbecause we might be using old mindsets and old mechanisms to deal with a differentenvironment.”
  • Define what consumerization of IT is: the growing tendency for new information technology to emerge first in the consumer market and then spread into business and government organizations.It used to be that IT drop the adoption rate of new devices.It is now the consumer who is driving the adoption of new technology at the device level.This trend ahs resulted in users wanting to bring their own devices to work to use them for work.
  • At first appears to radically lower the cost of enterprise IT mobility, it also introduces new risks and may actually significantly increase costs if not properly managed.Often overlooked is the financial cost of unauthorized access or lost or stolen device – between $3K and $180K-----------------------------------------------How many Smart Phones in the US as of March 2012?Dazhi Chen, Founder at Relevant ( as of Mar 2012.Google 51% (54M)Apple 30.7% (32.5M)RIM 12.3% (13M)MSFT 3.9% (4.1M)69.5M as of Feb 2011. Google - 22.9MRIM - 20.1MApple - 17.5M Loading... • Post • 1:46 on Sun Apr 3 2011-----------------------------------------------BYOD Trend is here to stay - 2012----------- Aberdeen ------------------Lower initial cost since purchase is not necessary.Higher operational cost because it is more complex to manage a variety of devicesOften overlooked is the risk of financial exposure due to an unauthorized access to protected data stored on a mobile device that is lost or stolen.Start with Mobile Device Management (MDM)Secure the TabletsPut IT Back in ChargePlan for Multiple smart devices per userEvolve to Enterprise Mobility managementCreate and maintain an up-to-date device inventoryEnsure that policy is in place and compliance is enforcedEDL – Start with “Who’s got the Compaq Luggable?”----------- SAP Case Study -------------Manage data, not devices:Focus on data management and flexibility in device choiceReduce impact on security/legal/HR/regulatory issuesSeparate personal data from corporate dataReduce corporate liability associated with potential private-data impactImprove ability to fulfill legal obligations associated with litigation-hold and e-discovery requestsEnsure full security (encrypted, password-protected vault)Protecting corporate data in the event a device is lost, stolen, or used by non-employees--------------------- USA Today ----------------"In the past, we asked them to issue company-owned laptops, give a few privileged users locked-down BlackBerrys, and that was it," says Barnett. "Today, they're being asked to accomplish a far greater feat."-------------------------------------------------------------------------------------------------------Since 2008 Aberdeen research has been tracking a radical transformationtaking place in the enterprise: an increasing number of organizations arepermitting, even encouraging employees to bring their own mobile devicesinto the workplace to be used for work purposes. While at first appearingto radically lower the cost of enterprise mobility while making itsproductivity and communications advantages available to a much broadergroup of employees' it also introduces new risks and may actuallysignificantly increase costs if not properly managed.Often overlooked, however, is theincreased risk of financial exposuredue to unauthorized access toprotected data stored on mobiledevices that are lost or stolen. Inthe July 20 I I study EnterpriseMobility Management Goes Global:Mobility Becomes Core IT,respondents were asked to identifythe maximum financial exposure totheir organization caused by a lapsein compliance with local statutesand regulations caused by lost orstolen mobile devices.At the low end of the riskspectrum. the exposure was$3,0 I 0 USD per lapse; at the highend, $179,270 USD per lapse. Anda single compromised device cancontain multiple compliance lapses.How can organizations not addressthe security and compliance of all oftheir employee-liable mobiledevices?
  • As time has moved on, choices have increasedDo go with on premise, Cloud, Private Cloud, Hybrid?There are no clear cut answers
  • Cash flowSecurityComplexitySLAsRegulations
  • As time has moved on, choices have increasedDo go with on premise, Cloud, Private Cloud, Hybrid?There are no clear cut answers
  • ECM in 2011 and 2012: Driving Business Effectiveness in Today's GlobalMarketA funny thing happened in the depths of the recent recession. While budgets in many areas of informationtechnology were under extreme pressure, enterprise content management (ECM) spending actually grew, by5.1% in 2009 and by 7.6% in 2010. ECM software revenue alone was $3.9 billion in 2010. And we project thisgrowth will continue — at an impressive compound annual growth rate (CAGR) of 11.4% through 2015. Why isall this money being spent on ECM in a down economy? The answer is "productivity." ECM can drive processefficiency, improve data and process quality, and build better channels to your customers and prospects.Gartner clients often use ECM to realize a range of productivity goals, including the following:Improve Effectiveness. Better data quality can lead to better decisions, as time and energy are notwasted. Project team support environments have a strong base in ECM. Knowledge repositories based onECM can help companies build competitive differentiation, innovate better and realize better customerservice.Reduce Operational Cost. Electronic management and delivery of client information using e-billpresentment and multichannel approaches to engage prospects and clients with relevant informationrequires Web Channel optimization using Web content management (WCM) tools. Costs can be reducedby consolidating diverse repositories of content and getting off of legacy content management tools whereongoing maintenance costs can be significant.Optimize Business Processes. ECM began with document imaging and document management of highvolume information flowing through repetitive processes. These transactional types of ECM environmentsare critical to driving efficiencies in departments for mission-critical processes.Achieve Regulatory Compliance and E-Discovery Goals. Companies look to ECM to provide a full lifecycle approach to information — from creation to destruction. ECM tools provide this level of support formany enterprises, beginning with integration with the Microsoft Office Suite for management of new andcollaboratively authored content, to the use of inherited predefined metadata to automate the eventualrecords categorization. Companies use these tools to demonstrate best efforts at organizing andmanaging their information in a proactive manner to meet legal needs.Attract and Retain Customers. A Web technology approached based on WCM allows enterprises to usethe Web for a range of dynamic information-based interactions. WCM can be used to drive interactivechannels to prospects and customers. Publishing and leveraging
  • Discuss howWorkSmart can help
  • Discuss howWorkSmart can help
  • Why are we still talking about this topic? Viruses are SO 2005. Your identity is the new currency! Consumer Devices! Cloud! Change!Never before has so much $ been spent on something you cannot see, yet decreasing is not an option? How much money are we going to throw at an endeavor that seems to be failing?
  • The premise of todays discussion. These are the touchpoints.Tradeoffs… freedom v security/culture (appropriate & rational)Complete security IS impossibleOur approach is reactionary in nature and NOT sustainable
  • Lets talk about Emotional responses –
  • Not quite my kids bedroom, but …What are the feelings this picture evokes? Ask Crowd!
  • These are real emotions. Lead to reactive results. Get Even?
  • Emotions at play – cloud your response – lets put this into work terms. (next slide)
  • a perception of what is perceived - in a way different from the way it is in reality.Elements of ParanoiaBehave as if it has already happened to you
  • Employees? Colleagues?Why: You see no security problems
  • DETECTED. May not seem like a lot, but Large organizations are best equipped to notice.
  • StringLook for a string and pull on itThe art of hacking – or even hactivismNot sure where the string goesWhat other threads will it lead toIn the world today those strings take you to places and processes and things
  • The largest threats are internal – NOT ALWAYS MALFEASENCE!
  • Lets focus on the CIO now… These are Warning Signs!
  • The hint of paranoia to keep you on your toes
  • But – this is the premise
  • Ok, deep breath
  • Viruses are old schoolITaaH – IT as a Hinderance model being addressed
  • Security needs to be a part of your Corporate DNA
  • One key statistic was almost lost in that ISBS report — namely that even though 50 percent of those companies plan to spend more on security this year than last, 67 percent of them also expect an increase in security breaches.
  • What are the costs – can you manage the return?
  • Segue – how much is too much security?Measured approachTo spend more and achieve less when budgets are stretched to breaking point is just plain stupid.The more money that's wasted on ineffective security defenses, the less money there is for competing business IT spend. There are companies that have plenty of money and have still suffered security breaches.
  • What's needed is an investment not in more technology, but in more awareness. Misfeasance is, in all honesty, probably the biggest security threat that companies face today.
  • Reduction of Security Incidents
  • Patriot Act
  • Example: community-based organizations
  • This is the TAKEAWAY
  • The myth of the IMPOSSIBLE
  • For example, when Educating employees, from the shop floor to the server room, about the real risks and the measures available to avoid them has been proven time and time again to deliver results.
  • Questions? Concerns?
  • Security is a Myth: The Impossible Job of the CIO

    1. 1. Opening Remarks The Day Ahead Ed Laprade ADNET Technologies, LLC
    2. 2. 2012: Managing IT is Simpler Than Ever!
    3. 3. the Facts Sophisticated Security Wealth of Mobile Devices BYOD is Here! Business Workflow AppsThe Cloud is Changing the World! Simple Dashboards More Savvy Users
    4. 4. it’s not that simple . . .
    5. 5. managecompetition investment threats our thoughts are filled with risks peoplecompliance data
    6. 6. the world got smaller . . . . . . and more complex
    7. 7. TREND: Consumerization of IT
    8. 8. consumerization of IT one effect . . . A Gartner report says the bring your own device (BYOD) trend is here to stay, so enterprises need to bolster security policies. Nathan Eddy – eWeek June 18, 2012
    9. 9. the trend to BYOD
    10. 10. TREND: move to Cloud
    11. 11. the evolution
    12. 12. when you consider Complexity Cash Flow Security Regulations SLAs
    13. 13. sometimes thedecision criteria is not BLACK White
    14. 14. TREND: Social Media
    15. 15. need to mitigate risk guidelines? employees trained? fit with culture? Source: Intel Social Media Guidelines
    16. 16. TREND: Productivity Software
    17. 17. improving productivity Software Goals Enterprise Content  Improve effectiveness Management (ECM)  Reduce operational costs Business Intelligence (BI)  Optimize business Business Analytics processes Information Visualization  Achieve regulatory compliance  Attract & retain customers
    18. 18. SUMMARY today is more complex than yesterday . . .. . . tomorrow will be more complex than today
    19. 19. WorkSmartexplaining the complex
    20. 20. THANK YOU to our Partners!
    21. 21. Security is a MYTHThe Impossible Job of the CIO Christopher Luise ADNET Technologies, LLC
    22. 22. the PREMISE balance off-balanceappropriate inappropriateinvestment measurement freedom security myth truth
    23. 23. IMAGINE you come home to find…
    24. 24. alone vulnerable defenselessalarmed BLAME helpless guilt angry scared
    25. 25. it’s not just emotional
    26. 26. All the work you do Developing Reporting Planning Rollouts Testing
    27. 27. Your TRUST has disappeared is lost is gone Your CREDIBILITY WORK Your
    28. 28. FACT
    29. 29. NOTHING is fully secure nothing.
    30. 30. security is an ILLUSION
    31. 31. what YOU see…
    32. 32. what HACKERS see…2, 3, 6, 7, 14, 15, 30… Behavioral Patterns Holes Puzzles
    33. 33. 15 percent of large organizations detected successful network hacker penetrations.Source: PwC 2012 Information Security Breaches Survey
    34. 34. finding a way in What happens if I pull on this string? Today’s strings unravel  People  Processes  Places  Systems  Information It’s not sophistication – it’s merely CURIOSITY
    35. 35. FACT
    36. 36. they are the REAL threats
    37. 37. 75 percent of organizations where security policy was poorly understood experienced a staff-related breach.Source: PwC 2012 Information Security Breaches Survey
    38. 38. when the organization FAILS THE CIO Lack of stakeholder buy-in No support for change Allowance of exceptions The CIO has an IMPOSSIBLE JOB.
    39. 39. FEAR may be warranted.But in measured doses.
    40. 40. What is APPROPRIATE? RATIONAL?
    41. 41. CAN I SLEEP AT NIGHT? (What do I NOT Know?)
    42. 42. your biggest VULNERABILITIES Mobile devices & BYOD (ITaaH) Social media (gone wild) Cloud Training & policies Assigned rights Awareness – from top to bottom Authentication – Ml!cwsI
    43. 43. you cannot IGNORE THIS“If security is not part of innovation, it’s going tocost you. There are certain things you can neglect,but the majority you cannot ignore. Sooner or laterit will hit you. And the later you put security andcompliance into projects, the more it will cost,because it just adds complexity.”Andreas Wuchner, head IT risk management, security & compliance, Novartis
    44. 44. MEASURINGWhat gets measured, gets done.
    45. 45. 93 percent of large organisations and 76 percent of small businesses experienced a security breach last year.Source: PwC 2012 Information Security Breaches Survey
    46. 46. 50 6750 percent of large organisations expect to spendmore on security next year, yet67 percent still expect more security breaches Source: PwC 2012 Information Security Breaches Survey
    47. 47. “Amateurs study cryptography;Professionals studyeconomics”- Allan Schiffman, July 2004
    48. 48. Why measure? There’s never enough <X> to go around To play better, you must keep score Discipline is easier with numbers
    49. 49. MeasurementSo, if you do things right and NOTHING happens…How do you measure what didn’t happen?
    50. 50. How much is TOO MUCH security? Spending more and achieving less (perceived) Stealing from business initiatives Excess administrative overhead to manage Overburdened IT staff Throwing money at the problem is not a strategy.
    51. 51. Measured and appropriate RESPONSE Balance Knowledge Risk – measured and assumed Not fear
    52. 52. 80 5380 percent of large organizations, and53 percent of small businesses, fail to evaluatethe return on investment of security expenditure Source: PwC 2012 Information Security Breaches Survey
    53. 53. Highest-Level Metrics How secure am I? Am I better off than this time last year? Am I spending the right amount of $$? How do I compare to my peers? ROSI? It’s a start… What risk transfer options do I have?
    54. 54. Building the STRATEGY Ask yourself:“Is our approach RATIONAL? APPROPRIATE?”
    55. 55. TRADEOFFSCompromise is not optimal.
    56. 56. Security is about tradeoffs; but you know thatIt is easier to make tradeoffs when you have ameasure to compare them withEven then, it is not necessarily easy
    57. 57. it’s a BALANCING actSECURITY FREEDOM
    58. 58. Culture?
    59. 59. building the STRATEGY1. Understand where your organization is investing (Corporate Strategy).2. Review and analyze. Collaborate.3. Rank your weakness – Internal & External (PIE) (Probability x Impact = Exposure)4. Align an approach. Enable.5. Build in awareness (organizational)6. Get or find authority
    60. 60. Chris’ steps to SLEEPING AT NIGHT Independent review Simplify complex systems Make complex simple authentications Design security approach into projects Malfeasance is the least of your worries – AWARENESS! Backup/fail-safes Measure security spend.
    61. 61. @ITWithValue @ChristopherLuise@TechWorx
    62. 62. Thank you and ENJOY!