Uploaded byEMC
3,001 views

Information Security Shake-Up

This document discusses how disruptive technology trends in 2013 such as cloud computing, social media, big data, and mobile device adoption will impact information security programs and strategies. It identifies gaps that security teams need to address to keep pace with these innovations, including boosting business and risk management skills, building relationships with middle management, tackling IT supply chain issues, and developing technical action plans around cloud computing, social media, big data, and mobile device competencies. The report provides perspectives from C-level security executives on how to navigate the changing landscape and ensure information security teams have the right skills and strategies to enable innovation over the next year.

Technology
Related topics:
Information Security

Embed presentation

Downloaded 30 times
A Special Report by the Information Security Shake-Up: Disruptive Innovations to Test Security’s Mettle in 2013 FEATURING THE PERSPECTIVES OF C-LEVEL SECURITY EXECUTIVES FROM: ABN Amro Coca-Cola Fidelity Investments Johnson & Johnson TELUS ADP, Inc. eBay Intel JPMorgan Chase T-Mobile USA Airtel EMC HDFC Bank Nokia Walmart AstraZeneca FedEx HSBC Holdings plc. SAP AG An industry initiative sponsored by RSA
* Contents REPORT HIGHLIGHTS 2013 PROMISES A FAST AND BUMPY RIDE 2 TECHNOLOGY TRENDS AND THE IMPACT ON INFORMATION SECURITY 3 1. Cloud Computing Adoption>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 3 2. Social Media Adoption>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 3 3. Big Data Adoption>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 4 4. Mobile Devices Adoption>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 4 ADDRESSING THE GAPS 5 Boost Business and Risk Skills>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 5 Court Middle Management>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 5 Tackle IT Supply Chain Issues>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 5 Build Tech-Savvy Action Plans>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 6 1. Cloud Computing Competencies>>>>>>>>>>>>>>>>>>>>>>>> 6 2. Social Media Competencies>>>>>>>>>>>>>>>>>>>>>>>>>>>> 7 3. Big Data Competencies>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 9 4. Mobile Competencies>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 9 CONCLUSION/ ABOUT THE SBIC 10 REPORT CONTRIBUTORS: SECURITY FOR BUSINESS INNOVATION COUNCIL 11 Disclaimer – This Security for Business Innovation Council Report (“Report”) includes information and materials (collectively, the “Content”) that are subject to change without notice. RSA Security LLC, EMC Corporation, and the individual authors of the Security for Business Innovation Council (collectively, the “Authors”) expressly disclaim any obligation to keep Content up to date. The Content is provided “AS IS.” The Authors disclaim any express or implied warranties related to the use of the Content, including, without limitation, merchant- ability, suitability, non-infringement, accuracy, or fitness for any particular purpose. The Content is intended to provide information to the public and is not legal advice of RSA Security LLC, its parent company, EMC Corporation, their attorneys or any of the authors of this SBIC report. You should not act or refrain from acting on the basis of any Content without consulting an attorney licensed to practice in your jurisdiction. The Authors shall not be liable for any errors contained herein or for any damages whatsoever arising out of or related to the use of this Report (including all Content), including, without limitation, direct, indirect, incidental, special, consequential, or punitive damages, whether under a contract, tort, or any other theory of liability, even if the Authors are aware of the possibility of such errors or damages. The Authors assume no responsibility for errors or omissions in any Content. 2| SBIC special Report | RSA, The Security Division of EMC
Report Highlights in 2013, a cluster of the gaps must be addressed Build Tech-savvy Action disruptive innovations will in order for information-security Plans: Security teams must continue transforming teams to keep pace with their build specific competencies and enterprise IT and hammering organizations’ technology action plans for enabling these at the very foundations of aspirations. innovations: information-security strategies For cloud computing focus on: Boost Risk & Business • optimizing cloud vendor this year promises several Skills: Information-security management major developments teams have long lobbied to be • solving controls assurance in enterprise adoption of: perceived as business enablers • realigning the IT budget to • Cloud computing: Many organiza- not inhibitors. Now that many cover the costs of cloud security tions are preparing to move more are, they don’t have the right • sharpening technical proficiency business processes – even mission- skills. To meet the swelling in virtualized environments critical apps and regulated data – demands to enable innovation, to the cloud. For social media focus on: security teams must rapidly • working with a multidisci- attain risk management and plinary executive team to • Social media: Based on social me- dia’s new-found powers to influence business skills. develop policy and codes of consumer purchasing behavior, conduct many organizations are elevating Court Middle Management: • developing proactive incident it to a strategic endeavor. At most organizations, the response plans C-suite “gets it” but security • training end users • Big data: Evidence of competitive teams now face resistance from • monitoring social media advantage is compelling more channels organizations to begin big data middle managers who don’t projects to gain market and want to expend their resources For big data focus on: business intelligence. on security. Security teams must • understanding the complex build these relationships, helping security issues created by • Mobile devices: Organizations are middle managers to understand amalgamating and processing experiencing a surge of consumer huge volumes of customer, security’s value. mobile devices accessing corporate market or business data networks and storing corporate • getting in on the ground floor data. Tackle IT Supply Chain of big data projects Issues: Organizations are • ensuring access control these trends will have a accelerating the implementation governance big impact on information- of new technologies just as there • developing a plan to leverage security programs, revealing is growing concern about the big data technologies for better significant and growing gaps integrity of globally sourced IT threat detection including a lack of business components. Comprehensive For mobile devices: skills, relationships, supply chain programs are required to • Download the recent compre- management, and tech-savvy evaluate as well as demonstrate hensive report from the SBIC, action plans. trustworthiness of hardware and Realizing the Mobile Enterprise: software. Balancing the Risks and Rewards of Consumer Devices. RSA, The Security Division of EMC | SBIC special Report |1
1 2013 Promises a Fast and Bumpy Ride I n 2013, a cluster of disruptive innovations – cloud computing, social media, big data, and outpace information security, several major developments in enterprise technology delivers specific guidance to fill the gaps and ensure that information-security teams have the “right mobile devices – will adoption are exposing stuff” in order to enable continue transforming significant and growing innovation over the next information systems. gaps in information- 12 months. Conventional approaches security programs. to information security Based on the – such as perimeter perspectives of 19 protections, managed security leaders from Information security isn’t just about IT end-points, signature- global enterprises, the anymore. Trends like cloud computing and based threat detection, Security for Business consumerization are quickly extending the and checklist risk Innovation Council information-security role. It’s about business. evaluations – are (SBIC) has developed It’s about people. It’s about risk management.” breaking down. As the this Special Report to DR. MARTIJN DEKKER speed of technological help navigate the shifting Senior Vice President, Chief Information Security Officer, advances continues to landscape. The report ABN Amro 2| SBIC special Report | RSA, The Security Division of EMC
2 Technology Trends and the Impact on Information Security E nterprises are looking to up the ante in technology adoption this year. Information-security teams should know what to expect and how they will be impacted. 1. Cloud Computing Adoption 2. Social Media Adoption Trend: Many organizations are preparing to move more Trend: Social media has become a major influencer of business processes – even mission-critical apps and consumer purchasing decisions, setting it on course to regulated data – to the cloud. become a strategic endeavor. Familiarity Breeds Trust Serious Business By now, most companies have deployed some form Organizations will be looking at social media of cloud computing, including Software-as-a-Service with a more strategic eye in 2013. A recent survey (82% of companies), Infrastructure-as-a-Service (51% indicates brand following has doubled in the past of companies), and Platform-as-a-Service (40% of two years by Americans who use social media. And companies),1 to capture benefits such as cost savings, of those who use social networking sites at least agility, and scalability. Over the next few years, once a month, 47% say that Facebook has the most spending on public cloud services is predicted to influence on purchasing.6 increase at 19% per year.2 The opportunities to reach customers and create Although supplier lock-in and system availability are positive brand awareness with social media are some of the big concerns with the cloud, security remains huge. The problem is that social networking sites the number one obstacle to adoption. But trust in the also present enormous opportunities for misuse cloud is growing. In a recent survey, 50% of respondents and misinformation as well as malware distribution were confident that the cloud is now viable for mission- and fraud. In fact, 66% of organizations name critical business applications.3 Even regulators are social media as a significant or critical risk to their getting more comfortable with the cloud. The Dutch brand.7 Yet only 38% of organizations have a security banking authority has given Dutch banks the green strategy in place for social networking.8 light to use cloud services.4 Given this confidence, many As organizations increase their use of social organizations are ready to move more business processes media to capture the business benefits, they must to the cloud. But surprisingly, only 30% of organizations also put in place strategies to manage the risks. have implemented a cloud security strategy5 even though Expectations should be set regarding allowable cloud computing has been a growing phenomenon for activity on social sites and policy viewed broadly, years. And even many cloud vendors don’t have sufficient balancing corporate interests with freedom of security programs. expression. Tools and techniques will also be required to mitigate the risks of incidents and Ücome to a The security concernsdemand forcloud adoption will Impact: head. The increasing hindering cloud guard against social-media-based attacks. computing will force organizations to find effective ways to evaluate their providers’ security controls to ensure they meet Ü Impact: Information-security teams must work to actively manage the risks of social media, including requirements, including implementing continuous monitoring. comprehensive policies and effective security controls. 1  uture of cloud computing survey, North Bridge Venture Partners, June 2012 F 5  he Global State of Information Security® Survey 2013, a worldwide survey by T 2  artner: Public cloud spending to increase 19 percent annually to 2016, G CIO, CSO and PwC, October 2012 FierceEnterprise Communications, October 23, 2012 6  The Social Habit, Edison Research, July 2012 3  uture of cloud computing survey, North Bridge Venture Partners, June 2012 F 7  uarding the Social Gates: The Imperative for Social Media Risk Management, G 4  NB neemt hobbel weg voor ‘outsourcen in the cloud’, Nieuwsbericht, D Altimeter, August 2012 De Nederlandsche Bank NV, (DNB), November 6, 2012 8  he Global State of Information Security® Survey 2013, a worldwide survey by T CIO, CSO and PwC, October 2012 RSA, The Security Division of EMC | SBIC special Report |3
TECHNOLOGY TRENDS AND THE IMPACT ON INFORMATION SECURITY 3. Big Data Adoption 4. Mobile Devices Adoption Trend: Evidence of competitive advantage is compelling Trend: More employees are using their smartphones and more organizations to begin big data projects to gain tablets for work, creating a surge of consumer mobile market and business intelligence. devices accessing corporate networks and storing corporate data. Organizations have to prepare for a world where the dominant endpoint is not a desktop PC, but a Better Threat Detection mobile device. In the information-security community, “big data” is generating considerable hype. The power of analytics Risks Mounting can greatly improve the ability to detect cyber attacks. Big data can be used to spot malicious activity by Heading into 2013, consumer mobile devices continue amalgamating and analyzing system and user to create worrisome risks for organizations – ranging behavior data. It will play a major role in changing the from loss of confidential information to high-profile information-security model to be more effective. security breaches. Research shows that 70% of all smartphone-owning professionals are now using their personal devices to access corporate data, yet almost 80% Good for Business of that activity remains inadequately managed by IT departments.10 The potential benefits of mobile devices It’s not only security that is excited about big data. can include improved productivity and reduced costs. So are marketing departments and many other areas Capitalizing on these opportunities is only possible if of business. Big data can be used to gain deep market enterprises know how to manage the risks. insight, provide tailored customer service, and create operational intelligence. A survey of executives worldwide found that the use of big data has improved Ü Impact: Mobile risksinformation-security teams must To avert major incidents, are reaching a critical mass. their businesses’ performance, on average by 26%. implement strategies that manage the risks while enabling The majority of these companies (58%) claim they will the rewards. Security strategies should assume the end- make a bigger investment in big data over the next point is untrusted. three years.9 This evidence of competitive advantage will spur more organizations to invest in big data. But the relative newness of the space means most do not fully understand the privacy and security risks when customer and business information is being collected, combined, processed, and stored at unprecedented scales and speeds. Üvalue of big data for security and develop a multi-year the Impact: Information-security teams must recognize plan to evolve their security management model to utilize big data to detect and remediate security threats. They also must get in on the ground floor of any new big data projects that the business takes on, in order to understand the risks and develop strategies to manage them. When thinking about big data, information-security teams should not only consider how they can use powerful analytics to detect security events but also realize that business overall is shifting towards the use of big data. Securing big data will require an evolution in data protection controls.” DAVE MARTIN Vice President and Chief Security Officer, EMC Corporation 9 The Deciding Factor: Big Data Decision Making, Capgemini, June 2012 10 Multi-market BYOD Survey, Ovum, September 2012 4| SBIC special Report | RSA, The Security Division of EMC
3 Addressing the Gaps I n 2013, as enterprise adoption migrates from being an IT-focused Tackle IT Supply of technology intensifies, to a business-focused problem, Chain Issues information-security teams face many teams lack the required significant gaps, including a lack skillset. Security professionals Organizations are accelerating of business skills, relationships, must become risk managers and the implementation of new supply chain management, business consultants – translating technologies within their IT and tech-savvy action plans. business requirements into environments just as there is Addressing these gaps will take a security requirements. More growing concern about the commitment to rapid-fire change. and more, the performance of integrity of hardware and security teams will be measured software components. Many of on their ability to enable business, these components are globally Boost Risk and which requires knowing how to sourced, creating complex supply Business Skills tie security programs to business chain issues. Going into 2013, outcomes. organizations must increasingly As the need to protect question whether their IT supply information has become chain can be trusted. However increasingly vital, at most global Court Middle the approach should evolve from organizations the information- Management banning gear to a more holistic security role has become more risk management approach to strategic and is transitioning to an As we begin 2013, most C-suites adopt technology with appropriate “information risk management” and Boards “get it.” The growth of security safeguards. Organizations role. Enabling a set of disruptive information protection regulations should seek assurances regarding innovations is accelerating that and the escalation of cyber all of their suppliers’ technology- trend, forcing a risk management threats mean that most of them development and -delivery perspective versus a security understand the importance of practices. “lock-down” mentality. To capture information security and consider As well, most organizations not the business benefits of new it a priority. Today, it is common only implement IT products technologies, each organization for CISOs to meet regularly with developed by others but also must accurately evaluate how executive leadership and the develop IT, such as custom much risk it is willing to take on Board. In many cases, information applications for use by business to capture those benefits. The security has attained the sought- partners and customers. Whether information-security team must after attention from the top. they develop commercial or work with the business in order to The current resistance to custom hardware or software, understand the risks and develop information-security efforts is two organizations must be able protection strategies to mitigate levels down from the executive to demonstrate that they are them to an acceptable level. level. Middle managers don’t want a trustworthy supplier of IT. This includes identifying the key to use their resources on security. Comprehensive programs will information assets and assessing They are incentivized by timeline be required to evaluate and their value to the organization. and budget; adding security doesn’t demonstrate the integrity of For years, security professionals fit into their objectives. Security the entire IT supply chain, have been lobbying to be perceived teams need to build relationships downstream and upstream. as business enablers rather than with middle managers, helping inhibitors. Now many information- them understand the value of security teams are bombarded information security. It may be with requests to enable innovation. a harder nut to crack than the But as information security C-suite. RSA, The Security Division of EMC | SBIC special Report |5
ADDRESSING THE GAPS Build Tech-Savvy Action Plans Solving all of the security issues that disruptive innovations are creating isn’t going to happen in 2013, but security teams have to make large strides or fall even further behind their organizations’ plans for technology adoption. Security teams must build competencies and specific actions plans in each area. 1. Cloud Computing Competencies Cloud Vendor Management Organizations are ultimately accountable for safeguarding the information handled by their cloud service providers. Cloud computing is forcing information-security teams to switch their focus from implementing controls to assuring that the controls Budget Realignment implemented by others meet requirements. Security The assurance process adds cost on both sides (for teams need to determine “How can we ensure that the cloud provider and the enterprise). Organizations cloud providers can meet our trust level? How do we should recognize that the increasing costs of know they are attuned to our particular threats? Can assurance can reduce any cost savings from moving they meet our regulatory compliance and e-Discovery to the cloud in the first place. As with outsourcing, if requirements?” the process is mismanaged the cost savings may be neutralized. Organizations also need to understand Controls Assurance that in a highly virtualized environment more of IT’s The conventional controls-assurance model is not budget will be needed to address cloud security. One sustainable in the cloud. Client organizations can’t solution is budget realignment – reinvesting a portion go on site to examine the security controls of every of the IT savings the organization achieves by moving cloud service provider, so they expect the providers to to the cloud into managing the risks. provide assurance by answering questionnaires. This is an inefficient process, since the cloud providers’ Technical Proficiency customers all ask the same questions. In order to evaluate the controls, security teams Standardized assessments would help. Industry will need a high level of technical proficiency initiatives, to achieve large-scale sharing of within virtualized environments. When servers assessments, have not had a lot of success so far. It’s and applications are decoupled from hardware, the hard for a large number of organizations to agree on security controls framework is completely different a standard set of controls that will satisfy everyone’s than in conventional IT environments. For example, requirements. Some organizations are beginning software controls (such as hypervisor security to turn to small-scale sharing of assessments. This modules) replace hardware controls. might follow the same model as intelligence sharing Many security teams are still not convinced whereby exchanging information among a small set of regarding the efficacy of cloud security controls. They trusted individuals grows over time. Another possible need to validate the security model for themselves, approach is third-party assessments or certification of understanding the advantages and limitations, in order service providers, such as the AICPA’s SOC 2 Report to oversee cloud providers. Especially in public clouds, on Controls at a Service Organization or the upcoming data co-mingling and data remanence remain big ISO 27017 Standard for Security in Cloud Computing. concerns. Security teams don’t yet have an acceptable In moving to the cloud, security teams need to find level of assurance that cloud service providers can effective ways to measure the health of controls and protect data integrity and confidentiality in a multi- detect failures. The building blocks for attestations tenant environment. Proficiency in cloud security through governance, risk, and compliance (GRC) controls is critical not only for public/hybrid clouds but technology are there, but the process needs to mature. also private clouds. Security teams must have the know- Automated and transparent controls assurance and how to secure virtualized environments within their continuous monitoring will be an important part of the own data centers. solution. 6| SBIC special Report | RSA, The Security Division of EMC
ADDRESSING THE GAPS Cloud Computing Suggested Actions: • lan for increasing P • ake it a general rule to M • everage technologies such L resources for cloud segregate the role of as GRC solutions that vendor management. controls implementation can perform automated from controls assurance to assurance and continuous ensure impartial controls monitoring and provide oversight. visibility into cloud environments. • ake the case to M • ork with auditors in the W • nsure your team has the E earmark a portion early stages of public or technical proficiency to of IT savings that private cloud computing evaluate software controls result from moving to initiatives, to educate them and secure the virtualized cloud computing for about the new security environment. information-security controls in virtualized oversight. environments. • actor in IT savings/ F • nvestigate the possibility I • nvestigate next-generation I security oversight offset of sharing cloud vendor encryption solutions that when making decisions assessments with a small can be used to protect your regarding moving to the number of trusted partners sensitive data in the cloud. cloud. to reduce redundancy and costs. 2. Social Media Competencies It will require an organizational strategy, including a defined code of conduct and an incident Executive Treatment response plan. Defining social media policy takes a The potential scenarios are nightmarish: insiders cross-functional team of executives from security, tweeting pre-released earnings data, developers IT, legal, HR, and communications. It can be a long inadvertently disclosing confidential intellectual process, taking months to set up the initial policy and property in peer forums, employees making requiring ongoing iterations based on learnings and inappropriate comments to customers or re-tweeting the evolution of the social space. For example, users rumor as fact, hacktivists hijacking corporate officers’ will be testing the limits/parsing definitions. social networking accounts, cyber-threat agents using Determining areas of responsibility can be an area social sites for reconnaissance or spreading malware. of tension. It’s not always straightforward whether The security team must carefully articulate the risks certain aspects of social media risks are security, PR, of social media to the business – including data loss, or legal matters. The policy should cover who owns damage to reputation, regulatory issues, malware what. For example, legal/compliance owns the liability infections, and targeted spear-phishing campaigns – issues, marketing owns sentiment management, and and design and implement controls to manage security owns technical monitoring solutions. the risks. Response Plan Traditional incident-response methods that may have worked with conventional media don’t work with social media because of the extreme audience reach and speed of communications. Often, organizations are forced to think through a social-media response only when they experience a watershed event like a major outage or flash event. To avert a social media crisis, an organization needs to plan responses to various scenarios ahead of time. RSA, The Security Division of EMC | SBIC special Report |7
ADDRESSING THE GAPS End-User Behavior Threat Management End-user training specific to social media is Brand monitoring on social sites is commonly used essential. It’s not just about what employees do at by corporations to help manage reputational issues. work but also on their personal time. Training should Customer care teams also monitor social sites help them understand the policy and internalize the to address specific customer issues before they consequences of non-compliance, making them safer escalate. The information-security team needs Internet citizens overall. to work with the corporate marketing teams. Organizations need to set constructive boundaries Monitoring social media sites can also be a valuable through training and technical controls – although source of threat intelligence. Social media threats technical controls available today lack the granularity (YourCompanySucks.com) are not necessarily cyber- needed. Some organizations may have a very open security issues, but security should be informed of culture where blocking of social media channels is not anything that points to possible cyber threats, such as a viable option. Programs can also include moderating hacktivist postings or discussions regarding possible an organization’s Facebook page and monitoring targeted attacks directed at the company. Some employees’ postings on social sites. organizations have a team that specifically monitors social media channels for security threats. Social Media Suggested Actions: • evelop a social media risk D • ature the incident- M • ain threat intelligence G management strategy response process and from reputation/brand- involving a multidisciplinary include crisis management monitoring services. team. and surprise drills that test performance of the response team. • ave a clear policy which H • evelop a plan to monitor D • reate Facebook and C delineates responsibilities the corporate social media Twitter accounts for and covers code of conduct presence for hijacking, leadership to pre-empt and incident response. malware, misrepresentation, others from creating and other public-facing falsified accounts. threats. • eliver ongoing end-user D • reate policy regarding when C • ork with vendors to W awareness training and how to respond to rumors/ develop more advanced, programs including misleading statements flexible technologies educating employees regarding your organization, for fine-grained social on what information such as its security posture. media access control and is appropriate to post monitoring. on social channels and monitor employees’ social media activities. For social media response planning, one of the most useful things is a table-top exercise. Create scenarios and go through simulated events in real time with all of the stakeholders – such as IT, Communications, HR, Legal – in order to train and test the response of the team. You’ll quickly learn how different social media events are compared to other events.” VISHAL SALVI Chief Information Security Officer and Senior Vice President, HDFC Bank Limited 8| SBIC special Report | RSA, The Security Division of EMC
ADDRESSING THE GAPS Formulating Security Strategies As organizations begin big data projects, security teams must get involved early on, in order to understand the risks and devise strategies to manage them. To protect information in a big data context, a major focus area must be access control governance. Unfortunately not many specialized tools are available yet. Limited data masking and coarse data access control are some of the currently available techniques, but they’re not sufficient. Better methods 3. Big Data Competencies for sanitizing aggregations and fine-grained access controls for large data sets are needed. Increased Complexity For big data, security teams will also need to get a Big data technologies such as Hadoop go well beyond handle on information life cycle. It’s important to conventional database engines. They allow organizations understand what data is being collected and stored, to amalgamate data sets and run powerful analytics at including the queries: “What returns large amounts? unprecedented volumes and speeds. Rapidly amassing Small amounts?” As well, the individuals performing and processing customer and business information the analytics will need to be monitored. A possible increases the complexity of security issues such solution may be a peer review of query results to as access governance, confidential data exposure, check, for example, for access to PII. regulatory compliance, and data integrity. For example, as data sets grow, without robust 4. Mobile Competencies access controls, individuals could easily be over- A recent comprehensive provisioned access. If not carefully tracked, report from the SBIC, Realizing confidential information could be combined with the Mobile Enterprise: Balancing other data sets and inadvertently exposed. As the Risks and Rewards of personally identifiable information (PII) is processed Consumer Devices, identifies in new ways, organizations run the risk of breaching today’s major sources of risk privacy laws which require that data remain in for the mobile enterprise particular geographical locations. Analyzing blended and the outlook for the near data sets to produce business insights may lead to new future and presents concrete intellectual property (IP) that will need protecting. recommendations for managing As well, data integrity issues arise when data from mobile risks. different sources gets combined; organizations must consider whether all of the data is from trusted sources and if the resulting analysis can be trusted. Big Data Suggested Actions: • amp up technical R • onitor what’s being M • ducate analysts regarding risks E knowledge in big data. requested and what’s going to various types of data and out including anomalous make clear what can be shared access or queries. and with whom. • nsure proper E • atch carefully for over- W • ove toward data-centric M information classification provisioning of access and security, protection that travels which covers legal and segregate roles for different with the information. regulatory compliance types of access, such as those and considers country- who ask for queries and those specific requirements. who run them. • evelop data-flow D • volve access control E • ork with vendors to develop W mapping as a core governance by tracking technologies required for competency of the types and levels of managing the risks of big data, the security team. data requests and queries. such as better data masking, meta-tagging, data classification, and fine-grained access control. RSA, The Security Division of EMC | SBIC special Report |9
6 Conclusion E xpect cloud computing, social media, big data, and mobile devices to be on the radar as disruptive forces for all of 2013 and beyond. As enterprises accelerate implementation, the information-security team needs to ensure it has what it takes to enable innovation – including people, processes and technologies. It is critical for the security team – as risk management partners – to develop a keen understanding of business goals and engage multiple departments and levels of management. It will require developing or honing skills, especially the ability to engage and influence stakeholders from across the organization, in order to ensure that information security has a seat at the table as the business moves forward. About the Security for Business Innovation Council Initiative The Security for Business Innovation Council (SBIC) is a group of top security leaders from Global 1000 enterprises committed to advancing information security worldwide by sharing their diverse professional experiences and insights. The Council produces periodic reports exploring information security’s central role in enabling business innovation. 10 | SBIC special Report | RSA, The Security Division of EMC
Report Contributors Security for Business Innovation Council MARENE N. ALLISON, ANISH BHIMANI, CISSP, WILLIAM BONI, CISM, CPP, CISA, ROLAND CLOUTIER, Worldwide Vice President of Chief Information Risk Corporate Information Security Vice President, Chief Security Information Security, Officer, JPMorgan Chase Officer (CISO), VP, Enterprise Officer, Automatic Data Johnson Johnson Information Security, Processing, Inc. T-Mobile USA DR. MARTIJN DEKKER, Senior JERRY R. GEISLER III, GCFA, RENEE GUTTMANN, Chief MALCOLM HARKINS, Vice President, Chief GCFE, GCIH, Office of the Chief Information Security Officer, Vice President and Chief Information Security Officer, Information Security Officer, The Coca-Cola Company Information Security Officer, ABN Amro Walmart Stores, Inc. General Manager, Information Risk and Security, Intel KENNETH HAERTLING, PETRI KUIVALA, DAVE MARTIN, CISSP, Vice TIM MCKNIGHT, CISSP, Execu- Vice President and Chief Chief Information Security President and Chief Security tive Vice President, Enterprise Security Officer, TELUS Officer, Nokia Officer, EMC Corporation Information Security and Risk, Fidelity Investments FELIX MOHAN, ROBERT RODGER, Group Head RALPH SALOMON, CRISC, VISHAL SALVI, CISM, Chief Senior Vice President and of Infrastructure Security, Vice President IT Security Information Security Officer Global Chief Information HSBC Holdings plc. Risk Office, SAP ag and Senior Vice President, Security Officer, Airtel HDFC Bank Limited To see SBIC members’ full bios, SIMON STRICKLAND, LEANNE TOLIVER, CISA, CISSP, DENISE D. WOOD, Corporate please visit emc.com. Global Head of Security, Interim Chief Information Vice President, Information AstraZeneca Security Officer, Global Security, Chief Information Information Security, eBay Security Officer, Chief IT Risk Officer, FedEx Corporation RSA, The Security Division of EMC | SBIC special Report | 11
EMC, EMC2, the EMC logo, RSA, and the RSA logo are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other products and/or services referenced are trademarks of their respective companies. ©2012 EMC Corporation. All rights reserved. h11391 RPT 1212

More Related Content

PDF
Rogers eBook Security
byRogers Communications
 
PDF
I Own Your Building (Management System)
byZero Science Lab
 
PDF
Security Feature Cover Story
byTorrid Networks Private Limited
 
PDF
The Vigilant Enterprise
byBooz Allen Hamilton
 
PDF
Information Security Governance: Government Considerations for the Cloud Comp...
byBooz Allen Hamilton
 
PDF
Security awarenesspreso draft-v-11
byJoseph Schorr
 
PDF
Cloud Computing Security: Government Acquisition Considerations for the Cloud...
byBooz Allen Hamilton
 
PDF
DFlabs corporate profile 01-2013
byDFLABS SRL
 
Rogers eBook Security
byRogers Communications
 
I Own Your Building (Management System)
byZero Science Lab
 
Security Feature Cover Story
byTorrid Networks Private Limited
 
The Vigilant Enterprise
byBooz Allen Hamilton
 
Information Security Governance: Government Considerations for the Cloud Comp...
byBooz Allen Hamilton
 
Security awarenesspreso draft-v-11
byJoseph Schorr
 
Cloud Computing Security: Government Acquisition Considerations for the Cloud...
byBooz Allen Hamilton
 
DFlabs corporate profile 01-2013
byDFLABS SRL
 

What's hot

PDF
Hiring Guide to the Information Security Profession
byamiable_indian
 
PDF
Top 10 IT Security Issues 2011
byRedspin, Inc.
 
PDF
Security in the cloud planning guide
byYury Chemerkin
 
PDF
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
byHyTrust
 
PDF
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
byDFLABS SRL
 
PPTX
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
byUBM_Design_Central
 
PDF
Prinya acis slide for swpark - it & information security human resource deve...
byTISA
 
PDF
br-security-connected-top-5-trends
byChristopher Bennett
 
PPTX
Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...
byLivingstone Advisory
 
PDF
Adopting Intelligence-Driven Security
byEMC
 
PPTX
Where worlds collide: Agile, Project Management, Risk and Cloud?
byLivingstone Advisory
 
PDF
Idc cost complexitycompliance
byReadWrite
 
PDF
Cybersecurity Improvement eBook
byPablo Junco
 
PDF
Enterprise cyber security
bynsheel
 
PPT
Improving cyber-security through acquisition
byChristopher Dorobek
 
PPT
2012 security services clientprex
byKim Aarenstrup
 
PDF
Vol13 no2
byfphart
 
PDF
Managed Security For A Not So Secure World Wp090991
byErik Ginalick
 
PDF
Cybersecurity through the Deloitte lens
byaakash malhotra
 
PDF
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
byInno Eroraha [NetSecurity]
 
Hiring Guide to the Information Security Profession
byamiable_indian
 
Top 10 IT Security Issues 2011
byRedspin, Inc.
 
Security in the cloud planning guide
byYury Chemerkin
 
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
byHyTrust
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
byDFLABS SRL
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
byUBM_Design_Central
 
Prinya acis slide for swpark - it & information security human resource deve...
byTISA
 
br-security-connected-top-5-trends
byChristopher Bennett
 
Navigating through the Cloud - 7 feb 2012 at Institute for Information Manage...
byLivingstone Advisory
 
Adopting Intelligence-Driven Security
byEMC
 
Where worlds collide: Agile, Project Management, Risk and Cloud?
byLivingstone Advisory
 
Idc cost complexitycompliance
byReadWrite
 
Cybersecurity Improvement eBook
byPablo Junco
 
Enterprise cyber security
bynsheel
 
Improving cyber-security through acquisition
byChristopher Dorobek
 
2012 security services clientprex
byKim Aarenstrup
 
Vol13 no2
byfphart
 
Managed Security For A Not So Secure World Wp090991
byErik Ginalick
 
Cybersecurity through the Deloitte lens
byaakash malhotra
 
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
byInno Eroraha [NetSecurity]
 

Viewers also liked

PDF
International Conference on Cloud and Big Data Analytics ICCBDA 2013
byEMC
 
PDF
Big Data Case Study: Transform Marketing And Take More
byEMC
 
PDF
White Paper: EMC Accelerates Journey to Big Data with Business Analytics as a...
byEMC
 
PDF
Enterprise Strategy Group: The Big Data Security Analytics Era is Here
byEMC
 
PDF
Big Data Analytics
byEMC
 
PDF
Linux kursu-erzurum
bysersld67
 
PDF
Insaat kursu-gungoren
bysersld54
 
PPTX
Hip to save $$$$
byMarcia Vaughn
 
PPS
Tire safety
byChandan Dubey
 
PPS
The power of perception
byChandan Dubey
 
PDF
MDP on Financial Statement Analysis
bykanagaraj300
 
ODP
Doe Meer met Minder
byNetwerk Bewust Verbruiken
 
PPTX
04 tues oppo costs choices
byTravis Klein
 
PDF
White Paper: Next-Generation Genome Sequencing Using EMC Isilon Scale-Out NAS...
byEMC
 
PPT
02 tues demand consumer surplus
byTravis Klein
 
PPTX
02 allocative efficiency
byTravis Klein
 
PPTX
5 Tips for Great Social Media Research
byResearch Now
 
PDF
Creative examples of origami logo design for inspiration
byMaxim Logoswish
 
PPT
Sato all in-one-training
byPROFIBLOG
 
PDF
Forrester: How Organizations Are Improving Business Resiliency with Continuou...
byEMC
 
International Conference on Cloud and Big Data Analytics ICCBDA 2013
byEMC
 
Big Data Case Study: Transform Marketing And Take More
byEMC
 
White Paper: EMC Accelerates Journey to Big Data with Business Analytics as a...
byEMC
 
Enterprise Strategy Group: The Big Data Security Analytics Era is Here
byEMC
 
Big Data Analytics
byEMC
 
Linux kursu-erzurum
bysersld67
 
Insaat kursu-gungoren
bysersld54
 
Hip to save $$$$
byMarcia Vaughn
 
Tire safety
byChandan Dubey
 
The power of perception
byChandan Dubey
 
MDP on Financial Statement Analysis
bykanagaraj300
 
Doe Meer met Minder
byNetwerk Bewust Verbruiken
 
04 tues oppo costs choices
byTravis Klein
 
White Paper: Next-Generation Genome Sequencing Using EMC Isilon Scale-Out NAS...
byEMC
 
02 tues demand consumer surplus
byTravis Klein
 
02 allocative efficiency
byTravis Klein
 
5 Tips for Great Social Media Research
byResearch Now
 
Creative examples of origami logo design for inspiration
byMaxim Logoswish
 
Sato all in-one-training
byPROFIBLOG
 
Forrester: How Organizations Are Improving Business Resiliency with Continuou...
byEMC
 

Similar to Information Security Shake-Up

PDF
IBM Tivoli - Security Solutions for the Cloud
byVincent Kwon
 
PDF
Cloud content security vs innovation 2012_0821
byBrian Gleeson
 
PPT
PCTY 2012, IBM Security and Strategy v. Fabio Panada
byIBM Danmark
 
PDF
IT Security Trends 2013
byIMC Institute
 
PDF
HCL Technologies: The CIO Handbook (Edition 4)
byHCL Technologies
 
PDF
The CIO Handbook
byHCL Technologies
 
PDF
Industry Overview: Big Data Fuels Intelligence-Driven Security
byEMC
 
PDF
James Beeson SOURCE Boston 2011
bySource Conference
 
PPTX
Securing your digital world cybersecurity for sb es
bySonny Hashmi
 
PPTX
Securing your digital world - Cybersecurity for SBEs
bySonny Hashmi
 
PDF
SYMCAnnual
byfinance40
 
PPTX
Information Security, Cybercrime and technology futures allowing you to get a...
byInsight UK
 
PDF
The TOP 10 tech trends of 2011
bydvasilyev
 
PDF
SBIC Enterprise Information Security Strategic Technologies
byEMC
 
PDF
Sun Gerenciamento de Identidade com Segurança
byVictor Castro
 
PDF
Infosec russia cnemeth_v1.2.ppt
byChristophe Németh (CISSP / CISM)
 
PDF
NJVC Brochure
bySpencer Nelson
 
PDF
Security Hurts Business - Don't Let It
byPeak 10
 
PDF
PwC Survey 2010 CIO Reprint
byKim Jensen
 
PDF
Data security in cloud
byInterop
 
IBM Tivoli - Security Solutions for the Cloud
byVincent Kwon
 
Cloud content security vs innovation 2012_0821
byBrian Gleeson
 
PCTY 2012, IBM Security and Strategy v. Fabio Panada
byIBM Danmark
 
IT Security Trends 2013
byIMC Institute
 
HCL Technologies: The CIO Handbook (Edition 4)
byHCL Technologies
 
The CIO Handbook
byHCL Technologies
 
Industry Overview: Big Data Fuels Intelligence-Driven Security
byEMC
 
James Beeson SOURCE Boston 2011
bySource Conference
 
Securing your digital world cybersecurity for sb es
bySonny Hashmi
 
Securing your digital world - Cybersecurity for SBEs
bySonny Hashmi
 
SYMCAnnual
byfinance40
 
Information Security, Cybercrime and technology futures allowing you to get a...
byInsight UK
 
The TOP 10 tech trends of 2011
bydvasilyev
 
SBIC Enterprise Information Security Strategic Technologies
byEMC
 
Sun Gerenciamento de Identidade com Segurança
byVictor Castro
 
Infosec russia cnemeth_v1.2.ppt
byChristophe Németh (CISSP / CISM)
 
NJVC Brochure
bySpencer Nelson
 
Security Hurts Business - Don't Let It
byPeak 10
 
PwC Survey 2010 CIO Reprint
byKim Jensen
 
Data security in cloud
byInterop
 

More from EMC

PPTX
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
byEMC
 
PDF
Cloud Foundry Summit Berlin Keynote
byEMC
 
PPTX
EMC GLOBAL DATA PROTECTION INDEX
byEMC
 
PDF
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
byEMC
 
PDF
Citrix ready-webinar-xtremio
byEMC
 
PDF
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
byEMC
 
PPTX
EMC with Mirantis Openstack
byEMC
 
PPTX
Modern infrastructure for business data lake
byEMC
 
PDF
Force Cyber Criminals to Shop Elsewhere
byEMC
 
PDF
Pivotal : Moments in Container History
byEMC
 
PDF
Data Lake Protection - A Technical Review
byEMC
 
PDF
Mobile E-commerce: Friend or Foe
byEMC
 
PDF
Virtualization Myths Infographic
byEMC
 
PDF
Intelligence-Driven GRC for Security
byEMC
 
PDF
The Trust Paradox: Access Management and Trust in an Insecure Age
byEMC
 
PDF
EMC Technology Day - SRM University 2015
byEMC
 
PDF
EMC Academic Summit 2015
byEMC
 
PDF
Data Science and Big Data Analytics Book from EMC Education Services
byEMC
 
PDF
Using EMC Symmetrix Storage in VMware vSphere Environments
byEMC
 
PDF
Using EMC VNX storage with VMware vSphereTechBook
byEMC
 
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
byEMC
 
Cloud Foundry Summit Berlin Keynote
byEMC
 
EMC GLOBAL DATA PROTECTION INDEX
byEMC
 
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
byEMC
 
Citrix ready-webinar-xtremio
byEMC
 
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
byEMC
 
EMC with Mirantis Openstack
byEMC
 
Modern infrastructure for business data lake
byEMC
 
Force Cyber Criminals to Shop Elsewhere
byEMC
 
Pivotal : Moments in Container History
byEMC
 
Data Lake Protection - A Technical Review
byEMC
 
Mobile E-commerce: Friend or Foe
byEMC
 
Virtualization Myths Infographic
byEMC
 
Intelligence-Driven GRC for Security
byEMC
 
The Trust Paradox: Access Management and Trust in an Insecure Age
byEMC
 
EMC Technology Day - SRM University 2015
byEMC
 
EMC Academic Summit 2015
byEMC
 
Data Science and Big Data Analytics Book from EMC Education Services
byEMC
 
Using EMC Symmetrix Storage in VMware vSphere Environments
byEMC
 
Using EMC VNX storage with VMware vSphereTechBook
byEMC
 

Recently uploaded

PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
final.pdf
byomarbishtawi04
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PPTX
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
final.pdf
byomarbishtawi04
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 

Information Security Shake-Up

  • 1.
    A Special Reportby the Information Security Shake-Up: Disruptive Innovations to Test Security’s Mettle in 2013 FEATURING THE PERSPECTIVES OF C-LEVEL SECURITY EXECUTIVES FROM: ABN Amro Coca-Cola Fidelity Investments Johnson & Johnson TELUS ADP, Inc. eBay Intel JPMorgan Chase T-Mobile USA Airtel EMC HDFC Bank Nokia Walmart AstraZeneca FedEx HSBC Holdings plc. SAP AG An industry initiative sponsored by RSA
  • 2.
    * Contents REPORT HIGHLIGHTS 2013 PROMISES A FAST AND BUMPY RIDE 2 TECHNOLOGY TRENDS AND THE IMPACT ON INFORMATION SECURITY 3 1. Cloud Computing Adoption>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 3 2. Social Media Adoption>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 3 3. Big Data Adoption>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 4 4. Mobile Devices Adoption>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 4 ADDRESSING THE GAPS 5 Boost Business and Risk Skills>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 5 Court Middle Management>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 5 Tackle IT Supply Chain Issues>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 5 Build Tech-Savvy Action Plans>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 6 1. Cloud Computing Competencies>>>>>>>>>>>>>>>>>>>>>>>> 6 2. Social Media Competencies>>>>>>>>>>>>>>>>>>>>>>>>>>>> 7 3. Big Data Competencies>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 9 4. Mobile Competencies>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 9 CONCLUSION/ ABOUT THE SBIC 10 REPORT CONTRIBUTORS: SECURITY FOR BUSINESS INNOVATION COUNCIL 11 Disclaimer – This Security for Business Innovation Council Report (“Report”) includes information and materials (collectively, the “Content”) that are subject to change without notice. RSA Security LLC, EMC Corporation, and the individual authors of the Security for Business Innovation Council (collectively, the “Authors”) expressly disclaim any obligation to keep Content up to date. The Content is provided “AS IS.” The Authors disclaim any express or implied warranties related to the use of the Content, including, without limitation, merchant- ability, suitability, non-infringement, accuracy, or fitness for any particular purpose. The Content is intended to provide information to the public and is not legal advice of RSA Security LLC, its parent company, EMC Corporation, their attorneys or any of the authors of this SBIC report. You should not act or refrain from acting on the basis of any Content without consulting an attorney licensed to practice in your jurisdiction. The Authors shall not be liable for any errors contained herein or for any damages whatsoever arising out of or related to the use of this Report (including all Content), including, without limitation, direct, indirect, incidental, special, consequential, or punitive damages, whether under a contract, tort, or any other theory of liability, even if the Authors are aware of the possibility of such errors or damages. The Authors assume no responsibility for errors or omissions in any Content. 2| SBIC special Report | RSA, The Security Division of EMC
  • 3.
    Report Highlights in 2013,a cluster of the gaps must be addressed Build Tech-savvy Action disruptive innovations will in order for information-security Plans: Security teams must continue transforming teams to keep pace with their build specific competencies and enterprise IT and hammering organizations’ technology action plans for enabling these at the very foundations of aspirations. innovations: information-security strategies For cloud computing focus on: Boost Risk & Business • optimizing cloud vendor this year promises several Skills: Information-security management major developments teams have long lobbied to be • solving controls assurance in enterprise adoption of: perceived as business enablers • realigning the IT budget to • Cloud computing: Many organiza- not inhibitors. Now that many cover the costs of cloud security tions are preparing to move more are, they don’t have the right • sharpening technical proficiency business processes – even mission- skills. To meet the swelling in virtualized environments critical apps and regulated data – demands to enable innovation, to the cloud. For social media focus on: security teams must rapidly • working with a multidisci- attain risk management and plinary executive team to • Social media: Based on social me- dia’s new-found powers to influence business skills. develop policy and codes of consumer purchasing behavior, conduct many organizations are elevating Court Middle Management: • developing proactive incident it to a strategic endeavor. At most organizations, the response plans C-suite “gets it” but security • training end users • Big data: Evidence of competitive teams now face resistance from • monitoring social media advantage is compelling more channels organizations to begin big data middle managers who don’t projects to gain market and want to expend their resources For big data focus on: business intelligence. on security. Security teams must • understanding the complex build these relationships, helping security issues created by • Mobile devices: Organizations are middle managers to understand amalgamating and processing experiencing a surge of consumer huge volumes of customer, security’s value. mobile devices accessing corporate market or business data networks and storing corporate • getting in on the ground floor data. Tackle IT Supply Chain of big data projects Issues: Organizations are • ensuring access control these trends will have a accelerating the implementation governance big impact on information- of new technologies just as there • developing a plan to leverage security programs, revealing is growing concern about the big data technologies for better significant and growing gaps integrity of globally sourced IT threat detection including a lack of business components. Comprehensive For mobile devices: skills, relationships, supply chain programs are required to • Download the recent compre- management, and tech-savvy evaluate as well as demonstrate hensive report from the SBIC, action plans. trustworthiness of hardware and Realizing the Mobile Enterprise: software. Balancing the Risks and Rewards of Consumer Devices. RSA, The Security Division of EMC | SBIC special Report |1
  • 4.
    1 2013 Promises a Fast and Bumpy Ride I n 2013, a cluster of disruptive innovations – cloud computing, social media, big data, and outpace information security, several major developments in enterprise technology delivers specific guidance to fill the gaps and ensure that information-security teams have the “right mobile devices – will adoption are exposing stuff” in order to enable continue transforming significant and growing innovation over the next information systems. gaps in information- 12 months. Conventional approaches security programs. to information security Based on the – such as perimeter perspectives of 19 protections, managed security leaders from Information security isn’t just about IT end-points, signature- global enterprises, the anymore. Trends like cloud computing and based threat detection, Security for Business consumerization are quickly extending the and checklist risk Innovation Council information-security role. It’s about business. evaluations – are (SBIC) has developed It’s about people. It’s about risk management.” breaking down. As the this Special Report to DR. MARTIJN DEKKER speed of technological help navigate the shifting Senior Vice President, Chief Information Security Officer, advances continues to landscape. The report ABN Amro 2| SBIC special Report | RSA, The Security Division of EMC
  • 5.
    2 Technology Trends and the Impact on Information Security E nterprises are looking to up the ante in technology adoption this year. Information-security teams should know what to expect and how they will be impacted. 1. Cloud Computing Adoption 2. Social Media Adoption Trend: Many organizations are preparing to move more Trend: Social media has become a major influencer of business processes – even mission-critical apps and consumer purchasing decisions, setting it on course to regulated data – to the cloud. become a strategic endeavor. Familiarity Breeds Trust Serious Business By now, most companies have deployed some form Organizations will be looking at social media of cloud computing, including Software-as-a-Service with a more strategic eye in 2013. A recent survey (82% of companies), Infrastructure-as-a-Service (51% indicates brand following has doubled in the past of companies), and Platform-as-a-Service (40% of two years by Americans who use social media. And companies),1 to capture benefits such as cost savings, of those who use social networking sites at least agility, and scalability. Over the next few years, once a month, 47% say that Facebook has the most spending on public cloud services is predicted to influence on purchasing.6 increase at 19% per year.2 The opportunities to reach customers and create Although supplier lock-in and system availability are positive brand awareness with social media are some of the big concerns with the cloud, security remains huge. The problem is that social networking sites the number one obstacle to adoption. But trust in the also present enormous opportunities for misuse cloud is growing. In a recent survey, 50% of respondents and misinformation as well as malware distribution were confident that the cloud is now viable for mission- and fraud. In fact, 66% of organizations name critical business applications.3 Even regulators are social media as a significant or critical risk to their getting more comfortable with the cloud. The Dutch brand.7 Yet only 38% of organizations have a security banking authority has given Dutch banks the green strategy in place for social networking.8 light to use cloud services.4 Given this confidence, many As organizations increase their use of social organizations are ready to move more business processes media to capture the business benefits, they must to the cloud. But surprisingly, only 30% of organizations also put in place strategies to manage the risks. have implemented a cloud security strategy5 even though Expectations should be set regarding allowable cloud computing has been a growing phenomenon for activity on social sites and policy viewed broadly, years. And even many cloud vendors don’t have sufficient balancing corporate interests with freedom of security programs. expression. Tools and techniques will also be required to mitigate the risks of incidents and Ücome to a The security concernsdemand forcloud adoption will Impact: head. The increasing hindering cloud guard against social-media-based attacks. computing will force organizations to find effective ways to evaluate their providers’ security controls to ensure they meet Ü Impact: Information-security teams must work to actively manage the risks of social media, including requirements, including implementing continuous monitoring. comprehensive policies and effective security controls. 1  uture of cloud computing survey, North Bridge Venture Partners, June 2012 F 5  he Global State of Information Security® Survey 2013, a worldwide survey by T 2  artner: Public cloud spending to increase 19 percent annually to 2016, G CIO, CSO and PwC, October 2012 FierceEnterprise Communications, October 23, 2012 6  The Social Habit, Edison Research, July 2012 3  uture of cloud computing survey, North Bridge Venture Partners, June 2012 F 7  uarding the Social Gates: The Imperative for Social Media Risk Management, G 4  NB neemt hobbel weg voor ‘outsourcen in the cloud’, Nieuwsbericht, D Altimeter, August 2012 De Nederlandsche Bank NV, (DNB), November 6, 2012 8  he Global State of Information Security® Survey 2013, a worldwide survey by T CIO, CSO and PwC, October 2012 RSA, The Security Division of EMC | SBIC special Report |3
  • 6.
    TECHNOLOGY TRENDS ANDTHE IMPACT ON INFORMATION SECURITY 3. Big Data Adoption 4. Mobile Devices Adoption Trend: Evidence of competitive advantage is compelling Trend: More employees are using their smartphones and more organizations to begin big data projects to gain tablets for work, creating a surge of consumer mobile market and business intelligence. devices accessing corporate networks and storing corporate data. Organizations have to prepare for a world where the dominant endpoint is not a desktop PC, but a Better Threat Detection mobile device. In the information-security community, “big data” is generating considerable hype. The power of analytics Risks Mounting can greatly improve the ability to detect cyber attacks. Big data can be used to spot malicious activity by Heading into 2013, consumer mobile devices continue amalgamating and analyzing system and user to create worrisome risks for organizations – ranging behavior data. It will play a major role in changing the from loss of confidential information to high-profile information-security model to be more effective. security breaches. Research shows that 70% of all smartphone-owning professionals are now using their personal devices to access corporate data, yet almost 80% Good for Business of that activity remains inadequately managed by IT departments.10 The potential benefits of mobile devices It’s not only security that is excited about big data. can include improved productivity and reduced costs. So are marketing departments and many other areas Capitalizing on these opportunities is only possible if of business. Big data can be used to gain deep market enterprises know how to manage the risks. insight, provide tailored customer service, and create operational intelligence. A survey of executives worldwide found that the use of big data has improved Ü Impact: Mobile risksinformation-security teams must To avert major incidents, are reaching a critical mass. their businesses’ performance, on average by 26%. implement strategies that manage the risks while enabling The majority of these companies (58%) claim they will the rewards. Security strategies should assume the end- make a bigger investment in big data over the next point is untrusted. three years.9 This evidence of competitive advantage will spur more organizations to invest in big data. But the relative newness of the space means most do not fully understand the privacy and security risks when customer and business information is being collected, combined, processed, and stored at unprecedented scales and speeds. Üvalue of big data for security and develop a multi-year the Impact: Information-security teams must recognize plan to evolve their security management model to utilize big data to detect and remediate security threats. They also must get in on the ground floor of any new big data projects that the business takes on, in order to understand the risks and develop strategies to manage them. When thinking about big data, information-security teams should not only consider how they can use powerful analytics to detect security events but also realize that business overall is shifting towards the use of big data. Securing big data will require an evolution in data protection controls.” DAVE MARTIN Vice President and Chief Security Officer, EMC Corporation 9 The Deciding Factor: Big Data Decision Making, Capgemini, June 2012 10 Multi-market BYOD Survey, Ovum, September 2012 4| SBIC special Report | RSA, The Security Division of EMC
  • 7.
    3 Addressing the Gaps I n 2013, as enterprise adoption migrates from being an IT-focused Tackle IT Supply of technology intensifies, to a business-focused problem, Chain Issues information-security teams face many teams lack the required significant gaps, including a lack skillset. Security professionals Organizations are accelerating of business skills, relationships, must become risk managers and the implementation of new supply chain management, business consultants – translating technologies within their IT and tech-savvy action plans. business requirements into environments just as there is Addressing these gaps will take a security requirements. More growing concern about the commitment to rapid-fire change. and more, the performance of integrity of hardware and security teams will be measured software components. Many of on their ability to enable business, these components are globally Boost Risk and which requires knowing how to sourced, creating complex supply Business Skills tie security programs to business chain issues. Going into 2013, outcomes. organizations must increasingly As the need to protect question whether their IT supply information has become chain can be trusted. However increasingly vital, at most global Court Middle the approach should evolve from organizations the information- Management banning gear to a more holistic security role has become more risk management approach to strategic and is transitioning to an As we begin 2013, most C-suites adopt technology with appropriate “information risk management” and Boards “get it.” The growth of security safeguards. Organizations role. Enabling a set of disruptive information protection regulations should seek assurances regarding innovations is accelerating that and the escalation of cyber all of their suppliers’ technology- trend, forcing a risk management threats mean that most of them development and -delivery perspective versus a security understand the importance of practices. “lock-down” mentality. To capture information security and consider As well, most organizations not the business benefits of new it a priority. Today, it is common only implement IT products technologies, each organization for CISOs to meet regularly with developed by others but also must accurately evaluate how executive leadership and the develop IT, such as custom much risk it is willing to take on Board. In many cases, information applications for use by business to capture those benefits. The security has attained the sought- partners and customers. Whether information-security team must after attention from the top. they develop commercial or work with the business in order to The current resistance to custom hardware or software, understand the risks and develop information-security efforts is two organizations must be able protection strategies to mitigate levels down from the executive to demonstrate that they are them to an acceptable level. level. Middle managers don’t want a trustworthy supplier of IT. This includes identifying the key to use their resources on security. Comprehensive programs will information assets and assessing They are incentivized by timeline be required to evaluate and their value to the organization. and budget; adding security doesn’t demonstrate the integrity of For years, security professionals fit into their objectives. Security the entire IT supply chain, have been lobbying to be perceived teams need to build relationships downstream and upstream. as business enablers rather than with middle managers, helping inhibitors. Now many information- them understand the value of security teams are bombarded information security. It may be with requests to enable innovation. a harder nut to crack than the But as information security C-suite. RSA, The Security Division of EMC | SBIC special Report |5
  • 8.
    ADDRESSING THE GAPS Build Tech-Savvy Action Plans Solving all of the security issues that disruptive innovations are creating isn’t going to happen in 2013, but security teams have to make large strides or fall even further behind their organizations’ plans for technology adoption. Security teams must build competencies and specific actions plans in each area. 1. Cloud Computing Competencies Cloud Vendor Management Organizations are ultimately accountable for safeguarding the information handled by their cloud service providers. Cloud computing is forcing information-security teams to switch their focus from implementing controls to assuring that the controls Budget Realignment implemented by others meet requirements. Security The assurance process adds cost on both sides (for teams need to determine “How can we ensure that the cloud provider and the enterprise). Organizations cloud providers can meet our trust level? How do we should recognize that the increasing costs of know they are attuned to our particular threats? Can assurance can reduce any cost savings from moving they meet our regulatory compliance and e-Discovery to the cloud in the first place. As with outsourcing, if requirements?” the process is mismanaged the cost savings may be neutralized. Organizations also need to understand Controls Assurance that in a highly virtualized environment more of IT’s The conventional controls-assurance model is not budget will be needed to address cloud security. One sustainable in the cloud. Client organizations can’t solution is budget realignment – reinvesting a portion go on site to examine the security controls of every of the IT savings the organization achieves by moving cloud service provider, so they expect the providers to to the cloud into managing the risks. provide assurance by answering questionnaires. This is an inefficient process, since the cloud providers’ Technical Proficiency customers all ask the same questions. In order to evaluate the controls, security teams Standardized assessments would help. Industry will need a high level of technical proficiency initiatives, to achieve large-scale sharing of within virtualized environments. When servers assessments, have not had a lot of success so far. It’s and applications are decoupled from hardware, the hard for a large number of organizations to agree on security controls framework is completely different a standard set of controls that will satisfy everyone’s than in conventional IT environments. For example, requirements. Some organizations are beginning software controls (such as hypervisor security to turn to small-scale sharing of assessments. This modules) replace hardware controls. might follow the same model as intelligence sharing Many security teams are still not convinced whereby exchanging information among a small set of regarding the efficacy of cloud security controls. They trusted individuals grows over time. Another possible need to validate the security model for themselves, approach is third-party assessments or certification of understanding the advantages and limitations, in order service providers, such as the AICPA’s SOC 2 Report to oversee cloud providers. Especially in public clouds, on Controls at a Service Organization or the upcoming data co-mingling and data remanence remain big ISO 27017 Standard for Security in Cloud Computing. concerns. Security teams don’t yet have an acceptable In moving to the cloud, security teams need to find level of assurance that cloud service providers can effective ways to measure the health of controls and protect data integrity and confidentiality in a multi- detect failures. The building blocks for attestations tenant environment. Proficiency in cloud security through governance, risk, and compliance (GRC) controls is critical not only for public/hybrid clouds but technology are there, but the process needs to mature. also private clouds. Security teams must have the know- Automated and transparent controls assurance and how to secure virtualized environments within their continuous monitoring will be an important part of the own data centers. solution. 6| SBIC special Report | RSA, The Security Division of EMC
  • 9.
    ADDRESSING THE GAPS Cloud Computing Suggested Actions: • lan for increasing P • ake it a general rule to M • everage technologies such L resources for cloud segregate the role of as GRC solutions that vendor management. controls implementation can perform automated from controls assurance to assurance and continuous ensure impartial controls monitoring and provide oversight. visibility into cloud environments. • ake the case to M • ork with auditors in the W • nsure your team has the E earmark a portion early stages of public or technical proficiency to of IT savings that private cloud computing evaluate software controls result from moving to initiatives, to educate them and secure the virtualized cloud computing for about the new security environment. information-security controls in virtualized oversight. environments. • actor in IT savings/ F • nvestigate the possibility I • nvestigate next-generation I security oversight offset of sharing cloud vendor encryption solutions that when making decisions assessments with a small can be used to protect your regarding moving to the number of trusted partners sensitive data in the cloud. cloud. to reduce redundancy and costs. 2. Social Media Competencies It will require an organizational strategy, including a defined code of conduct and an incident Executive Treatment response plan. Defining social media policy takes a The potential scenarios are nightmarish: insiders cross-functional team of executives from security, tweeting pre-released earnings data, developers IT, legal, HR, and communications. It can be a long inadvertently disclosing confidential intellectual process, taking months to set up the initial policy and property in peer forums, employees making requiring ongoing iterations based on learnings and inappropriate comments to customers or re-tweeting the evolution of the social space. For example, users rumor as fact, hacktivists hijacking corporate officers’ will be testing the limits/parsing definitions. social networking accounts, cyber-threat agents using Determining areas of responsibility can be an area social sites for reconnaissance or spreading malware. of tension. It’s not always straightforward whether The security team must carefully articulate the risks certain aspects of social media risks are security, PR, of social media to the business – including data loss, or legal matters. The policy should cover who owns damage to reputation, regulatory issues, malware what. For example, legal/compliance owns the liability infections, and targeted spear-phishing campaigns – issues, marketing owns sentiment management, and and design and implement controls to manage security owns technical monitoring solutions. the risks. Response Plan Traditional incident-response methods that may have worked with conventional media don’t work with social media because of the extreme audience reach and speed of communications. Often, organizations are forced to think through a social-media response only when they experience a watershed event like a major outage or flash event. To avert a social media crisis, an organization needs to plan responses to various scenarios ahead of time. RSA, The Security Division of EMC | SBIC special Report |7
  • 10.
    ADDRESSING THE GAPS End-User Behavior Threat Management End-user training specific to social media is Brand monitoring on social sites is commonly used essential. It’s not just about what employees do at by corporations to help manage reputational issues. work but also on their personal time. Training should Customer care teams also monitor social sites help them understand the policy and internalize the to address specific customer issues before they consequences of non-compliance, making them safer escalate. The information-security team needs Internet citizens overall. to work with the corporate marketing teams. Organizations need to set constructive boundaries Monitoring social media sites can also be a valuable through training and technical controls – although source of threat intelligence. Social media threats technical controls available today lack the granularity (YourCompanySucks.com) are not necessarily cyber- needed. Some organizations may have a very open security issues, but security should be informed of culture where blocking of social media channels is not anything that points to possible cyber threats, such as a viable option. Programs can also include moderating hacktivist postings or discussions regarding possible an organization’s Facebook page and monitoring targeted attacks directed at the company. Some employees’ postings on social sites. organizations have a team that specifically monitors social media channels for security threats. Social Media Suggested Actions: • evelop a social media risk D • ature the incident- M • ain threat intelligence G management strategy response process and from reputation/brand- involving a multidisciplinary include crisis management monitoring services. team. and surprise drills that test performance of the response team. • ave a clear policy which H • evelop a plan to monitor D • reate Facebook and C delineates responsibilities the corporate social media Twitter accounts for and covers code of conduct presence for hijacking, leadership to pre-empt and incident response. malware, misrepresentation, others from creating and other public-facing falsified accounts. threats. • eliver ongoing end-user D • reate policy regarding when C • ork with vendors to W awareness training and how to respond to rumors/ develop more advanced, programs including misleading statements flexible technologies educating employees regarding your organization, for fine-grained social on what information such as its security posture. media access control and is appropriate to post monitoring. on social channels and monitor employees’ social media activities. For social media response planning, one of the most useful things is a table-top exercise. Create scenarios and go through simulated events in real time with all of the stakeholders – such as IT, Communications, HR, Legal – in order to train and test the response of the team. You’ll quickly learn how different social media events are compared to other events.” VISHAL SALVI Chief Information Security Officer and Senior Vice President, HDFC Bank Limited 8| SBIC special Report | RSA, The Security Division of EMC
  • 11.
    ADDRESSING THE GAPS Formulating Security Strategies As organizations begin big data projects, security teams must get involved early on, in order to understand the risks and devise strategies to manage them. To protect information in a big data context, a major focus area must be access control governance. Unfortunately not many specialized tools are available yet. Limited data masking and coarse data access control are some of the currently available techniques, but they’re not sufficient. Better methods 3. Big Data Competencies for sanitizing aggregations and fine-grained access controls for large data sets are needed. Increased Complexity For big data, security teams will also need to get a Big data technologies such as Hadoop go well beyond handle on information life cycle. It’s important to conventional database engines. They allow organizations understand what data is being collected and stored, to amalgamate data sets and run powerful analytics at including the queries: “What returns large amounts? unprecedented volumes and speeds. Rapidly amassing Small amounts?” As well, the individuals performing and processing customer and business information the analytics will need to be monitored. A possible increases the complexity of security issues such solution may be a peer review of query results to as access governance, confidential data exposure, check, for example, for access to PII. regulatory compliance, and data integrity. For example, as data sets grow, without robust 4. Mobile Competencies access controls, individuals could easily be over- A recent comprehensive provisioned access. If not carefully tracked, report from the SBIC, Realizing confidential information could be combined with the Mobile Enterprise: Balancing other data sets and inadvertently exposed. As the Risks and Rewards of personally identifiable information (PII) is processed Consumer Devices, identifies in new ways, organizations run the risk of breaching today’s major sources of risk privacy laws which require that data remain in for the mobile enterprise particular geographical locations. Analyzing blended and the outlook for the near data sets to produce business insights may lead to new future and presents concrete intellectual property (IP) that will need protecting. recommendations for managing As well, data integrity issues arise when data from mobile risks. different sources gets combined; organizations must consider whether all of the data is from trusted sources and if the resulting analysis can be trusted. Big Data Suggested Actions: • amp up technical R • onitor what’s being M • ducate analysts regarding risks E knowledge in big data. requested and what’s going to various types of data and out including anomalous make clear what can be shared access or queries. and with whom. • nsure proper E • atch carefully for over- W • ove toward data-centric M information classification provisioning of access and security, protection that travels which covers legal and segregate roles for different with the information. regulatory compliance types of access, such as those and considers country- who ask for queries and those specific requirements. who run them. • evelop data-flow D • volve access control E • ork with vendors to develop W mapping as a core governance by tracking technologies required for competency of the types and levels of managing the risks of big data, the security team. data requests and queries. such as better data masking, meta-tagging, data classification, and fine-grained access control. RSA, The Security Division of EMC | SBIC special Report |9
  • 12.
    6 Conclusion E xpect cloud computing, social media, big data, and mobile devices to be on the radar as disruptive forces for all of 2013 and beyond. As enterprises accelerate implementation, the information-security team needs to ensure it has what it takes to enable innovation – including people, processes and technologies. It is critical for the security team – as risk management partners – to develop a keen understanding of business goals and engage multiple departments and levels of management. It will require developing or honing skills, especially the ability to engage and influence stakeholders from across the organization, in order to ensure that information security has a seat at the table as the business moves forward. About the Security for Business Innovation Council Initiative The Security for Business Innovation Council (SBIC) is a group of top security leaders from Global 1000 enterprises committed to advancing information security worldwide by sharing their diverse professional experiences and insights. The Council produces periodic reports exploring information security’s central role in enabling business innovation. 10 | SBIC special Report | RSA, The Security Division of EMC
  • 13.
    Report Contributors Security for Business Innovation Council MARENE N. ALLISON, ANISH BHIMANI, CISSP, WILLIAM BONI, CISM, CPP, CISA, ROLAND CLOUTIER, Worldwide Vice President of Chief Information Risk Corporate Information Security Vice President, Chief Security Information Security, Officer, JPMorgan Chase Officer (CISO), VP, Enterprise Officer, Automatic Data Johnson Johnson Information Security, Processing, Inc. T-Mobile USA DR. MARTIJN DEKKER, Senior JERRY R. GEISLER III, GCFA, RENEE GUTTMANN, Chief MALCOLM HARKINS, Vice President, Chief GCFE, GCIH, Office of the Chief Information Security Officer, Vice President and Chief Information Security Officer, Information Security Officer, The Coca-Cola Company Information Security Officer, ABN Amro Walmart Stores, Inc. General Manager, Information Risk and Security, Intel KENNETH HAERTLING, PETRI KUIVALA, DAVE MARTIN, CISSP, Vice TIM MCKNIGHT, CISSP, Execu- Vice President and Chief Chief Information Security President and Chief Security tive Vice President, Enterprise Security Officer, TELUS Officer, Nokia Officer, EMC Corporation Information Security and Risk, Fidelity Investments FELIX MOHAN, ROBERT RODGER, Group Head RALPH SALOMON, CRISC, VISHAL SALVI, CISM, Chief Senior Vice President and of Infrastructure Security, Vice President IT Security Information Security Officer Global Chief Information HSBC Holdings plc. Risk Office, SAP ag and Senior Vice President, Security Officer, Airtel HDFC Bank Limited To see SBIC members’ full bios, SIMON STRICKLAND, LEANNE TOLIVER, CISA, CISSP, DENISE D. WOOD, Corporate please visit emc.com. Global Head of Security, Interim Chief Information Vice President, Information AstraZeneca Security Officer, Global Security, Chief Information Information Security, eBay Security Officer, Chief IT Risk Officer, FedEx Corporation RSA, The Security Division of EMC | SBIC special Report | 11
  • 14.
    EMC, EMC2, theEMC logo, RSA, and the RSA logo are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other products and/or services referenced are trademarks of their respective companies. ©2012 EMC Corporation. All rights reserved. h11391 RPT 1212