Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

7 Things Every Ceo Should Know About Information Security


Published on

This ebook outlines the changing threat landscape and what CEOs need to understand about the evolving nature of threats in order to take protective measures and stay on top. In this ebook, Pat Clawson, CEO of Lumension, provides straight talk about a topic that can very well impact your bottom line and the ability of your business to deliver its product to customers.

Published in: Technology, News & Politics

7 Things Every Ceo Should Know About Information Security

  1. 1. 7 THINGS Every CEO Should Know About Information Security Policy and Process Reign Supreme The Costs of Ignoring Security Emergence of the Borderless Enterprise Security is a Boardroom Issue Traditional Security No Increasing Longer Works Insider Threats Well-Organized & Focused Cybercriminals
  2. 2. TAblE Of CONTENTS 7 Things EvERY CEO SHOULd KNOW ABOUT INFORMATION SECURITY Unless you’ve been living under a rock, you If that sounds like your organization, then keep reading. Hopefully, once you’ve 1. Security is a Boardroom probably realize what a hot-button issue finished this ebook, you’ll see how important your role is in maintaining a secure Issue information security has become for the modern environment, why it isn’t a good idea to cross your fingers and hope the tech guys enterprise. Maybe you’ve already mobilized a C- have everything under control and why compliance with security regulations won’t level security executive to develop a comprehensive solve all of your problems. 2. The Costs of Ignoring security program, maybe you’ve just asked your Security CIO to get a handle on things, or maybe you’re just As a CEO, I understand the complexities and nuances of leading an organization fantasizing that security incidents can’t possibly to profitability and success. And as an expert in the security industry, I also have 3. Well-Organized & happen to a company like yours. Either way, you a clear picture of how the very best businesses protect themselves. These two Focused Cybercriminals probably recognize the magnitude of trouble companies face when a breach, perspectives put me in a good position to talk to you—CEO to CEO—about the caused by their practices, hits The Wall Street Journal. And like many CEOs, you at least most important components of information security and why you should know 4. Increasing Insider have an inkling that your company has room to improve its security practices. about them. There’s no marketing mumbo-jumbo here, just straight talk about a Threats topic that can very well impact your bottom line and the ability for your business to Currently, there exists a troubling disconnect between information security deliver its product to customers. 5. Emergence of the personnel and top decision-makers within the enterprise. According to last year’s Pat Clawson Borderless Enterprise Ernst and Young global security survey, almost one-third of information security professionals never meet with their board of directors, and most meet less than Chairman & CEO, Lumension Security™, Inc. 6. Traditional Security No once a quarter with their corporate officers and business unit leaders. Longer Works 7. Policy and Process Reign Supreme Conclusion: The Security Role of the CEO 2
  3. 3. 7 THINGS EvEry CEO SHOuld KNOw AbOuT INfOrmATION SECurITy 1. securiTy is a Boardroom issue Contrary to what some CEOs may think, information security is absolutely a Clearly, your peers are standing up and listening because their feet are being held boardroom issue. Even though it sometimes may seem as if security issues end up to the fire by regulators. In some ways, this can be a good thing. It has definitely being mired in technical details, it is clear that ignoring them altogether can impact helped bump up overall awareness of security topics amongst the C-suite. As one of the bottom line, the brand and shareholder value. These aren’t technology issues; my customers puts it, his department is starting to finally get the input he believes these are core business issues. information security personnel should have. If a business chooses not to set security policies, or sets them so loosely that they “In the last few years, I’ve started to see a change. Traditionally, we’d be ignored,” suffer a highly publicized he says. “Even if you’re a C-level person, you never really got the inclusion that the If a business chooses not to attack, it could find itself rest of the C-suite did. That’s starting to change. I find my department becoming set security policies or sets ostracized by its largest included in more business decisions. Anytime people are looking to do their due customers and partners. diligence in acquisitions and mergers, we’re consulted.” them so loosely that they These types of risks are Lumension Security’s Chairman and CEO Pat Clawson sits suffer a highly publicized boardroom issues and down to provide executive-level insight into effective and 64% of corporate executives reported data-centric corporate security. attack, it could find itself they should be discussed by you and your advisors, compliance as the principal information ostracized by its largest no matter what their security driver. customers and its partners. technical background looks like. But compliance as a security driver is a double-edged sword. According to John Currently, most executives only focus on security in relation to complying with Pescatore, analyst with Gartner Research, executives and board members should not security regulations such as HIPAA, Sarbanes-Oxley and PCI data Security be so quick to throw their security spend on compliance efforts. Standards. In last year’s 10th annual Ernst & Young global information security survey, approximately 64 percent of corporate executives reported compliance as the “Really, it is dangerous to hang your hat on compliance as a justification for principal information security driver. everything,” Pescatore says. “From a boardroom point of view, we think security should be protection-driven, not compliance-driven.” 3
  4. 4. GuIdANCE fOr bOArdS Of dIrECTOrS The way he sees it, compliance fines pale in comparison to the cost of an actual Executives need to oversee a security program that meshes the security needs of their security incident that can occur when proper precautions are not put into place. If an specific organization with the demands of regulators to prove security. They need to “To achieve effectiveness and sustainability in today’s otherwise compliant organization misses a certain piece of the security puzzle, not recognize that the organization has an ultimate responsibility to secure its data and complex, interconnected world, security over information assets must be addressed at the highest levels of the included in “XYZ” regulations, and suffers a “denial of service” attack, then it stands that of its customers. organization, not regarded as a technical specialty to lose a lot more in lost revenue than if it had been secure but non-compliant. relegated to the IT department. Implementing effective security governance and defining CEOs really need to eliminate the mentality that being compliant with regulations Executives need to oversee a security the strategic security objectives of an organization are means their organizations are secure. Compliance is a measurement against complex, arduous tasks. They require leadership and regulatory standards, not necessarily a measurement of overall security. Look at program that meshes the security needs ongoing support from executive management to succeed. the recent breach at New England’s Hannaford Brothers grocers. In that case, the of their specific organization with the Developing an effective information security strategy requires integration with and co-operation of business company claimed that it was PCI compliant when the incident occurred. Even if this claim was true, compliance didn’t shield Hannaford in the court of public opinion— demands of regulators to prove security. unit managers and process owners. A successful outcome is the alignment of information and it won’t shield your organization if something similar happens to you. security activities in support of organizational objectives. “What I tell CEOs is make sure your security program is protecting your customers The extent to which this is achieved will determine the In my opinion, there is definitely a wide-scale wake-up call that still needs to happen effectiveness of the information security program in and protecting your business. Then give the auditors what they need for you to at the executive level in regards to this security compliance misconception. meeting the desired objective of providing a predictable, demonstrate compliance,” Pescatore says. “decide what controls are needed to defined level of management assurance for business protect the business and customer data and then add some additional reporting processes and an acceptable level of impact from functions that demonstrate compliance for all of them.” adverse events.” Information Security Governance: Guidance for Boards This is not only a safer and saner way of doing things, it is usually cheaper to boot. of Directors and Executive Management, IT Governance Institute, 2006 4
  5. 5. CuTTING THE COST Of COmplIANCE wITHOuT COmprOmISING SECurITy 2. The cosTs of ignoring securiTy Many of the most publicized security failures in recent years can be attributed to proceedings can put a big dent in the bottom line. Add to that the cost of litigation, short-sighted leadership decisions to save a few bucks on security in the short term. regulatory punitive fees and the cost of consultants to perform an investigation of Take TJX’s (TJ Maxx) record breach of 94 million customer records—it all came as a the breach and it becomes clear why breaches cost so much. The shame of it all is result of an upper level management directive to wait on upgrading wireless security. that once this money has been laid out, the new scrutiny you’ll face will force your company to spend more on the security program you should have implemented in the first place. Why not spend that money up front and avoid all of those millions in Why not spend that money up front breach costs? and avoid all of those millions in The largest cost associated with ignoring security, however, still may not be breach costs? completely quantifiable. The loss of brand equity is a huge risk posed by lax security practices, one which many CEOs need to address. Brand is the bedrock As a CEO, what risk to the bottom line are you willing to assume for the sake of upon which most major enterprises build. When that bedrock cracks, many Pat Clawson sits down to discuss the biggest compliance saving a few dollars in the coming years’ budgets? In TJX’s case, they’ve paid businesses have a hard time recovering. challenges and how organizations can effectively address hundreds of millions of dollars as a result of the breach—many, many times the compliance. amount it would have cost to upgrade their technology and practices. Remember ValuJet? The high-flying discount airliner had a quality brand in the mid- 1990s until one of its jets crashed into the Everglades in 1996. The disaster proved Last year, one of the security gurus with Forrester Research took a quantitative look at just how much poor security practices were costing enterprises. Analyst Khalid Kark found that the average security breach can cost a company between $90 and ...they’ve paid hundreds of millions $305 per lost record. The financial effects can be staggering for a company with millions of customers. of dollars... many, many times the amount it would have cost to Kark used a number of very real factors to come up with this projection. First of all, data breach legislation in most states now puts companies on the hook to disclose upgrade technology and practices. any data breach to those affected. Just the sheer cost of going through notification 5
  6. 6. wHAT I wISH my CEO KNEw AbOuT SECurITy… so damaging to the valuJet brand that the company had to buy AirTran for In a 2006 study conducted by the CMO Council, over 50 percent of consumers said its identity and completely purge the valuJet brand from its corporate memory. they would either strongly consider or definitely take their business elsewhere if their “The most difficult part of being a CSO or CISO is personal information were compromised by a business. Even more disconcerting, getting CEOs and CFOs to understand that IT security is Granted, a large security breach will rarely result in the loss of human life. But a part of life, just like fire and flood insurance. You hope more than half of business executives said they would either consider or would you never need to use it, but if you don’t have it and you the valuJet incident still offers a stark lesson in how corporate negligence can recommend taking their business elsewhere if a business partner suffered a security have a fire, you can lose everything. If you don’t have a destroy a brand. breach that compromised their corporate or customer data. strong information security practice in place, the same thing can happen. If a large bank is found to be at fault for not protecting its data assets, and customer Interestingly, the CMO Council study also found 60 percent of marketers believe that Support is key, and if you work with your CEO and help information is spread around the world, the event will hit the news. In turn, that security and IT integrity offer an opportunity for brand differentiation. Yet 60 percent him or her understand what value IT security has on organization the big picture, this will go a long way in gaining the of these same marketers said security has not become a more significant theme in Clearly, executives who choose will lose their company’s messaging and marketing communications. support of different business divisions. If you educate everyone from the top down, it helps tremendously.” brand equity, to ignore security are not only lose existing Clearly, executives who choose to ignore security are not only gambling their Richard Linke, Vice President and CSO for Global Security Management Inc. gambling their company’s customer company’s brand and good name, they’re also losing an opportunity to differentiate brand and good name, they’re loyalty, and will have a harder themselves from the rest of the crowd. also losing an opportunity to time drawing differentiate themselves from new customers with its now- the rest of the crowd. damaged reputation. The same goes for health care companies, insurance companies, big retail chains, you name it. 6
  7. 7. CybErCrImE ECONOmy 3. Well-organized & focused cyBercriminals CEOs really need to stop deluding themselves and understand that their information The enormous payouts from such antics have driven cybercriminals to dial up their Cybercrime has grown into an extremely mature black market with major players often employing more is worth being stolen. If your data is poorly protected, your business is essentially risk thresholds and their ingenuity levels. “Cybercrime today is targeted, it hits sophisticated business methods and partnerships than just setting out gold bars in an unprotected window so that any opportunistic bad deeply, it tries to be stealthy, rarely making the news, and often those attacks on a many legitimate businesses. Tom Espiner with CNET wrote a particularly illuminating summary of guy can come and take what he likes. Some of the “gold bars” are different for each damage-per-incident level are 10 to 50 times higher than the costs of things like the the cybercrime ecosystem in his article, “Cracking Open business–perhaps secret recipes for food manufacturers, blueprints for engineering Slammer worm and other high-profile attacks we used to see,” says John Pescatore, the Cybercrime Economy,” published Dec. 14, 2007: firms, programming code for software developers. Other “gold bars” transcend analyst with Gartner Research. “It’s way higher than what a simple virus used to cost “Hackers can buy denial-of-service attacks for $100 industry verticals. Every business risks confidential information about partners, us.” per day, while spammers can buy CDs with harvested e-mail addresses. Spammers can also send mail via sensitive customer data and potential sales leads when they don’t shore up security. spam brokers, handled via online forums such as In 2007, the U.S. Government Accountability Office estimated that cybercrime costs and In this environment, $1 buys 1,000 to 5,000 credits, while $1,000 buys 10,000 The cat is out of the bag that all of these data tidbits are worth a considerable the economy $117.5 billion a year. And yet, I still hear CEOs ask, “What would they compromised PCs. amount to competitors and identity thieves—most modern hackers already realize want with my organization? They’ve got better targets to attack. It’s not like I’m a Carders, who mainly deal in stolen credit card details, this and are well on their way to figuring out how to steal yours without you even Fortune 500 company.” openly publish prices, or engage in private negotiations to decide the price, with some sources giving bulk knowing it. discounts for larger purchases. The rate for credit card That thinking is all wrong. The thing is that most hackers are smart enough to details is approximately $1 for all the details down to the See, it used to be that the bad guys in cybercrime were simple script kiddies, just recognize that smaller companies don’t spend the kind of money and effort securing Card Verification Value (CVV); $10 for details with CVV linked to a Social Security number; and $50 for a full in it for the rush of defacing company property and getting their props from news their information that the big boys do. If you aren’t spending on security, then you bank account. reports. Their attacks were meant to be visible, so it was very clear when they become the better target to attack. Scammers use a variety of ways to launder cash. occurred. But money changed all of that—hackers saw a dollar sign attached to the Compromised bank accounts can be used to launder funds, Think about it. If I’m a hacker planning to make some money by selling personal or struggling companies can be bribed to turn the money technical feats they could accomplish and they switched gears. Nowadays, the crooks into ready cash. Scammers can find businesses with a debt are trying to fly under the radar, sneaking in to pillage data stores undetected so they identifiable information to an identity thief, who would I rather attack? A large of $10,000, and agree to pay them $20,000 if they agree to multinational bank that likely has billions of dollars invested in information security? cash out 50 percent of the funds. Dedicated cashiers, also can do it again and again to the same target-rich environments. In poorer Eastern known as “money mules,” can also take up to 50 percent of Bloc countries, hacking corporate systems is a job for some people. They go to work Or a small credit union that probably hasn’t fully secured its systems? It’s like asking the funds to move the money via transfer services. and hack American companies for other companies or for well-organized crime rings a burglar whether he’d rather sneak into a house with unlocked doors or crowbar his Money can also be laundered by buying and selling perpetuating identity theft. way into a deadlocked home. He’ll pick the unlocked house every time. merchandise on the wider black market. Shipper rings can ship PCs to scammers via intermediaries, which can then be resold.“ 7
  8. 8. dEbuNKING THE mOST COmmON myTHS AbOuT dATA prOTECTION 4. increasing insider ThreaTs It isn’t just those well-funded adversaries outside the business that you, as a CEO, It happens all of the time, and in many cases the damages can be in the hundreds must worry about either. There are also numerous threats much closer to home— of millions of dollars. In February 2007, it came out that a senior chemist at literally inside the business. duPont stole $400 million worth of data and tried to leak it to a third party. In just a six month period, this trusted employee downloaded about 22,000 abstracts and According to Gartner analysts, 70 percent of the security incidents that cost 16,700 documents. He was eventually ferreted out by duPont’s IT staff and taken to enterprises money involve insiders in some way or another. Companies often spend so trial for his transgressions—but for every one of those caught there are many more much time and money worrying about threats outside the enterprise walls they often who actually get away with it. forget about the dangers that lurk within. The risks posed by employees and trusted partners can run from out-and-out fraud, all the way down to simple user errors that As a CEO, I understand that trust cause system insecurity and open them up to attack. Typically, both are caused by is an important part of running ...70% of the security lack of controls and poor oversight of employee computer activities. a business. But I also realize incidents that cost that while I can trust people up enterprises money Lumension Security’s Senior Vice President of Business to a certain extent, I have to set Development Rich Hlavka sits down to debunk the most The risks posed by employees and boundaries around trust. involve insiders... common myths about data protection trusted partners can run from out- Just as a company wouldn’t think twice about auditing the books and double- and-out fraud all the way down to checking ledgers, it should be standard practice to keep track of access to valuable data assets and risky computing activities that could cost the business a mint. simple user errors that cause system insecurity and open them up to attack. Too many companies choose not to monitor employee interaction with intellectual property and sensitive data, and eventually pay a steep price for their lack of verification. And even those who choose to monitor general staff forget to watch the Especially damaging are the cases of intentional theft when employees remain waters, leaving IT administrators with far more account access privileges than their unmonitored or have unconrolled access to sensitive data or systems. jobs require. Besides, even the most trustworthy insiders are capable of triggering a security event that can send a business reeling.
  9. 9. dId yOu KNOw ? “The insider threat hasn’t gone up; there have always been dishonest employees,” does your organization does it have a way of Pescatore says. “What has gone up, and what the real insider threat is employees have a way of tracking how Most insider events are triggered trying to do their jobs using technology that we didn’t first make safe. And then, information is being copied protecting the data at by a negative event in the workplace. oops, information is either accidentally exposed or left open such that a fairly simple and transported? does it rest, in motion and in use? Most perpetrators had prior disciplinary issues. cyber attack can get to it. That represents thr majority of growth of insider incidents.” have a way of protecting Most insider events were planned in advance. data at rest, in motion and in use? As a CEO, you should at very least know the Up to 87 percent of attacks didn’t require Some employees may not know they are doing anything wrong. They’re just doing answer to those questions, because your job very well may depend on it. advanced technical knowledge. what they think needs to be done to do their job. Everyone within the security field Approximately 30 percent of incidents happened has heard of numerous cases of people copying sensitive databases to their mobile Because employees and trusted partners with access to your information will take at the insider’s home through remote access. devices and bringing them home from work. It happens every day, and every day risks if they aren’t aware of them, education plays a big part in curbing insider threat. From the Insider Threat Study conducted by the National Education is huge because simply telling errant employees not to do something Threat Assessment Center of the U.S. Secret Service and does your organization have a way doesn’t always have the desired effect. People sometimes justify bad behavior when they are under-the-gun; they think, “I’ll just do it this once,” or “They didn’t really the Software Engineering Institute at Carnegie Mellon University, 2005 of tracking how information is being mean it when they said not to do this.” It is the job of your information security copied and transported? department to educate users and make sure they understand why taking certain actions puts the business at risk. And it is your job as the CEO to back up the Chief Information Officer (CIO) and to really emphasize the stakes at hand. Often the only that your employees do this, they are putting your organization at serious risk. If that way employees will listen is if the directive comes from the top, so give your infosec device is lost or stolen, you face a serious breach with all of those costs I mentioned personnel some support. earlier. Education can’t do it alone, however. The only way to truly keep insiders to their word is through automated policy enforcement, smart monitoring technology and effective use of account restrictions. 9
  10. 10. mObIlE dEvICES — THE NEw mObIlE THrEAT 5. emergence of The Borderless enTerprise Many business-side leaders don’t fully appreciate all of the holes and points of Plus, as I just mentioned, you have got lots of potential “bad apple” employees who weakness that exist in their network today. They figure that after green lighting are automatically allowed access inside network boundaries. It has gotten to the the CIO to spend buckets of money on firewalls and other network defenses, the point where there isn’t an impenetrable border around the enterprise anymore. organization should be pretty well fortified against assault. The problem is that since that money has been spent, the enterprise has changed and the CIO has been forced to change the technology that supports the business. In this age of Nearly 75 percent had off-line devices super-connectivity, they’ve been asked to provide more ways to give employees and partners access to information. lost or stolen in the last two years and of those 42 percent involved the loss of In the process, insecure systems that were never meant to be sensitive information. In this age of connected to the Internet are Lumension Security’s Vice President of Security now online. Information portals Unfortunately, most businesses have been unable to adjust their security programs super-connectivity, CIOs are poking holes in the network to account for this borderless enterprise. In a study of 735 CIOs conducted by the Technologies, Chris Andrew, sits down to discuss how security has moved beyond the endpoint with the have been infrastructure all over the place, Ponemon Institute in 2007, more than 60 percent of them said their organizations convergence of business and personal tools. data is leaving the network on still place more importance on network security issues than any other. Approximately asked to provide portable storage devices, and 62 percent said their off-network controls are not “rigorously managed.” And yet, more ways to give mobile devices are enabling 62 percent said that they have a lot of unprotected confidential information on off- employees and partners people to move outside the network with sensitive data while network systems. This assumption of risk has lead to a much higher rate of incidents involving those off-line devices—nearly 75 percent of the managers surveyed had one access to information. coming back onto the network of these devices lost or stolen in the last two years, and of those, 42 percent involved with infected systems. the loss of sensitive information. 10
  11. 11. wHAT I wISH my CEO KNEw AbOuT SECurITy… These numbers aren’t meant to scare you. I’ve brought them to light so that you understand why your CIO keeps knocking on your door to talk about data protection— “For me, it’s got to be the application level security these days, that is the name of the game in security. Executives today must recognize that and code-security. In our company and a lot of companies, security is still seen as an IT process, you security is no longer about fortifying the network, it’s about protecting the data. We’ve do some IT things, development does their things. already established that the crooks aren’t looking to simply break your network. They want Making the argument that code security, revision to get their grubby little hands on your data. control are so absolutely important that often times they can be the invalidation of all the controls that I’ve put around things. Executives today must recognize that security is no longer If someone screws up and makes a code error, it’s now about fortifying the network, it’s about protecting the data. dumping your databases to the Internet. So, that’s going to become one of the next hot items – database and web application security in multiple ways. Getting some kind of insight into your code’s security is very These bad guys are no dummies—they know how to exploit holes in the network and how important. It’s not being properly communicated by anyone at this point. Mostly because people to take advantage of offline systems and endpoints in order to gain future access to your don’t have a hard grasp of the application threat data stores. If the endpoints and the data are protected, it becomes a lot harder for the landscape. There are a few people who understand criminals to steal information. it, and to my knowledge, they work for their own companies. They’re independent contractors. They’re not convincing CEOs that that’s important. A lot of Your technology leaders must be able to satisfy the needs of your staff and partners to the other people out there just haven’t gotten it yet.” access appropriate data while maintaining appropriate control and monitoring of that William Bell, Director of Security for information to ensure it remains safe. In the end, organizations need to make sure they’re not giving away too much free access at the expense of the company’s well being. 11
  12. 12. HOw TO mAKE wHITElISTING OpErATIONAlly EffICIENT mANAGEAblE 6. TradiTional securiTy no longer Works So now that the climate has changed and we operate within a borderless enterprise, Executives must have their technical staff focus on the squishy center that exists it is imperative for company and technology leadership to realize that the security inside that perimeter exoskeleton they’ve built up over the years. Otherwise, crafty model they’ve depended on for so many years is broken. bad guys are going to attack from the inside out. Simply installing antivirus and firewall perimeters no longer helps businesses Think about it, with all of your employees demanding connectivity online and effectively defend themselves. There are too many ways around the network online portals directing customers and partners to data from the outside, there perimeter. Those well-funded criminals I already talked about are using clandestine are loads of little back doors leading directly into networked data stores. And if code that cannot be detected by mass-marketed antivirus software, that only offers protection from known attacks. Why attack the network directly when That’s not to say that these older technologies no longer have a place in the I could simply get an employee to visit enterprise. They still do a reasonable job protecting enterprises from old attacks and act as a good, existing first layer of defense. an infected website that will load a Lumension Security’s Senior Vice President of Americas, Trojan onto their system and will grant Matt Mosher sits down to discuss the advancements in Endpoint Security with Operational Whitelisting. “The real key is figuring out how to make the perimeter security less expensive and then be able to deal with where the threats are starting to bypass the traditional me access into their system and into forms of security,” says Pescatore, “because there are new forms of attacks and there wherever it is connected? are always these waves of old attacks that come back.” We recently had a customer say to us, “I can’t tell you how many of my peers find I’m a bad guy, why would I try to go through the fortified front door when I can it easy to fund and implement perimeter security, but find it harder to do so for the just waltz through the back door and ride the wave of connectivity directly to your needed internal security.” most valuable data? Why attack the network directly when I could simply get an employee to visit an infected website that will load a Trojan onto their system and will grant me access into their system and into wherever it is connected? 12
  13. 13. vulNErAbIlITy mANAGEmENT IN A wEb 2.0 wOrld If you have nothing to prevent that, they’ve already won. They’re establishing an outbound connection right back to their system which means you’re toast and your firewall means nothing. Businesses who have recognized the death of security as they once knew it have kept their protection programs up-to-date by shifting focus on areas such as internal network security and monitoring, endpoint security and configuration management. Most importantly, the most successful security practitioners have begun to supplement the old guard in technology with proactive security through whitelisting. “Both the threat environment has changed and our Unlike the traditional method of blacklisting the “known priorities have changed so that we really need to get bad” programs and application, whitelisting only lets the “known good” execute within the enterprise environment. into protecting the information itself,” Mogull said. Senior Director of Solutions and Strategy, Don Leatham, sits down to discuss Vulnerability Management “So that’s where the concept of information-centric challenges in a Web 2.0 world, and how to defend against these threats. security comes from. Which is why people are saying ‘Why don’t we look at the tools and techniques we need to protect the data and not just protect our networks?’” - Rich Mogull, Securosis, from March 200 Baseline Magazine article. 13
  14. 14. 5 bASIC TENANTS Of INfOrmATION SECurITy 7. policy and process reign supreme One of the real dangers of working with technical executives is that some of them As in many other aspects of the business, tools support a solid foundation laid by “Information security governance requires senior tend to fall so completely in love with certain technologies that they fail to remember effective policies and processes. It is your job as the head honcho to guide your Chief management commitment, a security-aware culture, promotion of good security practices and compliance their overarching goals. This particular malady infects a lot of people in security, who Information Security Officer (CISO) to make sure he or she isn’t using technology as with policy. It is easier to buy a solution than to change a unfortunately focus on buying and implementing tools they view as a panacea. an ineffective crutch. culture, but even the most secure system will not achieve a significant degree of security if used by ill-informed, As a CEO, you probably already know that there’s no product in the world that can “So if every time there’s a problem and the only thing your CISO is suggesting is untrained, careless or indifferent personnel. completely solve a complex business problem. It is no less true for information technology, you should poke ‘em with a stick,” Pescatore says. “You should say, ‘Wait Information security is a top-down process requiring a security than anything else in the business. a minute, where’s the process change or the other things that always have to go with comprehensive security strategy that is explicitly linked to the organization’s business processes and strategy. Security technology to make it work?’” “...we have to set up a security policy must address entire organizational processes, both physical and technical, from end to end. that finds the right balance between These “other things” need to include risk assessment, standardized procedures, The five basic outcomes of information security governance boundary setting around what employees should and shouldn’t be doing with systems overreacting and exposing your and data, and also setting baselines on how systems are configured. From there, the should include: 1. Strategic alignment of information security with business system to any and every hack.” technology can monitor and enforce all of those policies and procedures, providing strategy to support organizational objectives reporting to prove to the auditors that everything is working. 2. Risk management by executing appropriate measures to “Information security by technical means is not sufficient and needs to be supported manage and mitigate risks and reduce potential impacts on by policies and procedures,” wrote Chaiw Kok Kee in a SANS Institute whitepaper information resources to an acceptable level on security policies. “Security polices are the foundation and the bottom line of 3. Resource management by utilizing information security information security in an organization. Depending on the company’s size, financial knowledge and infrastructure efficiently and effectively resources and the degree of threat, we have to set up a security policy that finds the 4. Performance measurement by measuring, monitoring and right balance between overreacting and exposing your system to any and every hack.” reporting information security governance metrics to ensure that organizational objectives are achieved 5. Value delivery by optimizing information security investments in support of organizational objectives” Information Security Governance: Guidance for Boards of Directors and Executive Management, IT Governance Institute, 2006 14
  15. 15. wHAT I wISH my CEO KNEw AbOuT SECurITy… If your CISO is doing a good job setting policies, the SANS policy guidance suggests “If I could have a CEO that he or she will be: boot camp, I’d say, The responsibility “Information security is not simply an IT issue. ‘Make sure you put for security oversight Information security is the responsibility of every employee beginning with the CEO. Awareness, detection Identifying all of the assets that need to be protected security top of mind and policy development and remediation is also everyone’s responsibility. We Identifying all of the vulnerabilities and threats and the likeliness to all of your direct can invest in tools that will mitigate the risk, and tools of the threats happening reports: your CFO, your doesn’t rest solely on the to audit how well we are mitigating the risks, but at CIO, your HR people, CISO’s shoulders, either. the end of the day, it is the individual users who most significantly impacts the security of information at deciding which measures will protect the assets in your sales people and an organization. If we start with the idea that the a cost-effective manner so on,’” Pescatore management of the investment we have in information says. “For most businesses today, the product is information and security is key. So is of paramount importance, we will make decisions Communicating findings and result to the appropriate that ensures its security throughout all levels of the parties (i.e. you and the board) you have to make sure that your top reports understand that security is part of their organization. In this way, the products, policies, evaluation. It’s not just the CIO’s responsibility. It is part of life for every one of your procedures and audits you put in place will not be Monitoring and reviewing the process for improvement along the way direct reports.” sidestepped, downgraded or ignored for the comfort of the end user.” The responsibility for security oversight and policy development doesn’t rest solely Tony Hildesheim, Vice President of Information Technology on the CISO’s shoulders, either. As chief executive, you should also be guiding a program of information security governance that reaches far beyond the IT Washington State Employees Credit Union department. As chief executive, you should also be guiding a program of information security governance that reaches far beyond the IT department. 15
  16. 16. A prACTICAl ApprOACH TO IT SECurITy rISKS conclusion: The securiTy role of The ceo Obviously, chief executives don’t play a detailed day-to-day role in information The CEO has to be the one that constantly challenges the organization to understand security. You probably don’t know how to administer a vulnerability scanner, nor its risks and needs to be constantly reviewing security progress as part of the should you. But understanding security can have such a dramatic effect on an quarterly review process. Are we right on track with initiatives? Have we suffered any organization’s bottom line, it is clear CEOs need to provide strong leadership incidents lately? Have our competitors? What new threats are cropping up. These on the matter. are the types of questions that the CEO must ask of the CIO or CISO on a consistent basis in order to keep that company messaging relevant. It should be an ongoing, According to many of the CISOs we speak with here at Lumension Security, the only dynamic process instead of one where the CEO is simply the recipient of information. way to get user buy-in for major infosec initiatives is by relying on support from the top of the food chain. As a CEO, you have a chance to set a culture of security that permeates into every silo, department and remote office you maintain. As our customer Bell puts it, “When it comes from the CEO, it’s a bigger deal than when it comes from the security officer. You’re going to get more penetration through Pat Clawson discuss how organizations can implement a practical approach to identifying, prioritizing and your enterprise. The folks in accounting are going to go, ‘Oh! It’s the CEO!’ They responding to IT security risks don’t care about me, but they’ll listen to the CEO. There are a lot of companies with silos that are so deep these days that the security departments don’t have a lot of visibility. If you can work to get some kind of company message, it’s helpful.” 16
  17. 17. Lumension Security™, Inc. 150 N Greenway-Hayden Loop, Suite 100 Scottsdale, AZ 5260 7 Thnigs Every CEO Should Know About Information Security is licensed under a Creative Commons Attribution 3.0 United States License.