SlideShare a Scribd company logo

managed-security-for-a-not-so-secure-world-wp090991

J
Jim Romeo
1 of 4
Download to read offline
CIOs need a strategy for a secure enterprise in today’s insecure world. It turns out that the infamous TJX Companies breach in January 2007 was only the tip of the iceberg: there has been an explosion of data security incidents in the past few years. In 2008, the Identity Theft Resource Center (ITRC) reported 656 breaches, a 47 percent increase over 2007. And there have been 213 data breaches in the first five months of this year alone. This risky data environment is colliding with an IT landscape of shrinking resources. An April 2009 Lieberman Software survey of IT professionals discovered that 60 percent of respondents work at organizations that have cut their IT budgets, and 40 percent of organi- zations have reduced their IT teams. Such cuts leave fewer resources available to handle the ongoing need for compliance with a bevy of regulations—from the Sarbanes-Oxley Act (SOX) to the Health Insur- ance Portability and Accountability Act (HIPAA) to the Payment Card White Paper: Managed Security Managed Security for a Not-So-Secure World WP090991 8/09
Industry Data Security Standard (PCI DSS)—to whatever new transparency requirements will arise from the banking crisis. But business must go on. CIOs must manage security risks while addressing business needs and focusing on revenue-generating activities. This paper offers a strategy for providing data security and protection that addresses the rising data threat landscape, the need for compliance, and today’s lean IT staffs. Good Enough Isn’t Always Enough Unlike conventional projects with a beginning, middle and an end, IT security is never finished. The security program implemented yesterday may not be adequate tomorrow because new threats arise every day. Opportunistic predators, for example, exist both inside and outside the organization. Organized crime is a ma- jor concern from a financial perspective because their motivation is typically financial gain, which causes them to continually seek out potential network infrastructure vulnerabilities, and create new viruses and worms. This has significantly raised the quality of threats that com- panies must defend themselves against. Though most IT managers are vigilant and diligent in us- ing the tools they have to protect corporate data, there are often blind spots that these predators will find and exploit. Ensuring corporate data is safe takes consider- able proactive, continual monitoring—or outside help. “Keeping up with the high traffic in vulnerability disclo- sures is a perennial challenge and an important part of our program since we focus on proactively identifying and remediating risks,” says Michael Glenn, director of information security and chief information security official (CISO) at Qwest Communications International Inc., a managed security provider. “We have to balance our re- sources between our proactive, innovative programs and our reactive obligations, including a growing list of compli- ance auditing, certification and reporting activities.” Those compliance issues can be burdensome. Mandat- ed compliance with a wide and growing variety of state, federal and industry regulations places an increasing strain on IT staff. Being Compliant Some of these regulations, or parts of them, promote data protection within particular industries. For ex- ample, the Gramm-Leach-Bliley Act (GLBA) has privacy stipulations to protect information in the financial ser- vices industry, including companies providing financial products and services to consumers. For example, the GLBA’s Financial Privacy Rule requires financial institu- tions to give their customers privacy notices that ex- plain the institution’s information collection and sharing practices. In addition, customers have the right to limit the sharing of their information. Failure to comply with these regulations can lead to stiff penalties—HIPAA fines, for example, can be as high as $50,000 per violation. And the American Recovery and Reinvestment Act of 2009 will further tighten HIPAA’s privacy and security rules for data breach notification, enforcement, audit trails and encryption. Then there’s the PCI DSS, which governs payment card transactions. Here again, noncompliance can be expensive: for ex- ample, Visa could fine transaction processors between $5,000 and $25,000 a month if the merchants or retail- ers they represent are not PCI compliant. What’s troublesome is that companies often think they’re in compliance but end up finding out the hard way that they’re not. Take the examples of RBS World- Pay and Heartland Payment Systems, which process credit card payments. Before the end of 2008, they were believed to be PCI compliant. However, hackers tapped into their data, including cardholders’ private informa- tion. The point is that just checking a checkbox for compliance may not protect your organization’s data; you must have solid security practices in place to first protect data, and then meet compliance obligations. For more information about Qwest’s managed security services, visit us at www.qwest.com/business [2] Qwest White Paper: Managed Security WP090991 8/09
There are intangible costs as well. A breach in security of this magnitude causes a lack of confidence among cur- rent and prospective customers. CIOs and IT managers recognize this threat. In a recent survey conducted by IDG Research Services on behalf of Fiberlink Communi- cations, 81 percent of respondents said that damage to their company’s reputation from a data breach was their greatest concern, followed by legal consequences and costs (79 percent) and loss of critical data (74 percent). Things like proactive network monitoring, testing and tracking, complex firewall configuration, a comprehen- sive vulnerability management program, centralized logging and auditing, an access control program, and sound, comprehensive security policies are necessary for a good security program and to meet compliance obligations. Considerable staff and resources are also required. So, how does the CIO face these challenges? Outsourcing Managed Security Given the security risk climate and the reduction in IT staffs, working with an IT and security service provider is more practical. With the appropriate foundation of outsourced services, security becomes manageable and reliable. Of course, cost is a consideration. You should conduct a thorough analysis of the time and expenses involved in using internal resources and then weigh it against an outsourcing provider’s cost model. For example, the cost of managing and configuring technology is a key component of the total cost of a security program. And you have to consider whether your in-house expertise is up to the task. “Inevitably, difficult economic times can cause other- wise good people to make poor decisions,” says Glenn. “I expect to see a continued need for vigilance against malicious software and attacks like spear phishing that are rooted in fraud, along with the ever-present insider threat. In a downturned economy, you do not want to be significantly cutting your information security program.” To stay abreast of vulnerabilities and threats, IT person- nel must continually expand their knowledge and exper- tise, which can be challenging if budgets do not allow for a fully dedicated security staff or ongoing training. In addition, expert security professionals, especially those with credentials from professional associations, are in high demand, so retaining them can be difficult. On the flipside, a well-recognized, comprehensive security service provider has already gone through the rigors of recruiting and training quality security person- nel. In addition, these teams have been exposed to a variety of enterprise security challenges from a diverse clientele. Tapping into this expertise offers not only a skilled security strategy, but also a fresh look at how to address risks. Another consideration is that IT and business processes are often in flux, due to changing market conditions and business demands. Managing them requires both time and broad experience; organizations with tight IT budgets can suffer process management constraints. An outsourcing partner can add value by bringing a wide range of expertise and the ability to look at the entire scope of a company’s processes to identify potential obstacles or problem areas. Employing the best people and processes are only parts of the equation. You also need the right tech- [3] Qwest White Paper: Managed Security Benefits of an Outsourcing Partner r Staff: Professionally trained talent to manage and implement security programs and plans r Solutions: Carefully researched and selected security technologies r Cost: Lower total cost of ownership for labor and technology through scaling, configuration, maintenance of technology solutions, training personnel, and research- ing processes and products r Knowledge: Experience and knowledge base to discover vulnerabilities, face new security threats and solve complex security problems WP090991 8/09
nology. Because new security tools and solutions are introduced every day, evaluating, purchasing and maintaining them requires time and an understanding of how they will best fit the organization. A feasible alternative is to lean on a managed security provider that has experience with a wide variety of solutions, and that can provide a thorough analysis of which tools are most appropriate. Conclusion In the IT landscape, vulnerabilities and threats arise constantly while new and shifting compliance regula- tions place increased pressure on data protection. And CIOs must face these issues with reduced staff and contracted budgets. A solid relationship with a managed service provider can be of great help, freeing CIOs to focus on core business operations, build better relationships with stakeholders and ultimately achieve short and long- term business goals. Using managed services to address security risks is a best practice to reduce costs, ensure compliance and allow IT staff to focus on critical busi- ness operations. Glenn offers this closing advice: “Spend just as much, and preferably more of your energy on building rela- tionships with key stakeholders across your enterprise than you spend learning the bits and bytes of the latest technical toy. If you have the right relationships with your business, you can always find a means to accom- plish your objectives by making your business success- ful through good security practices and risk manage- ment. Learning those technical means together gives you more credibility.” Take an honest look at your internal capabilities, and compare them to what a managed security services provider can offer, including economies of scale. It’s likely that a security strategy that includes outsourcing in its mix will be a cost-effective, practical and winning solution. [4] Qwest White Paper: Managed Security Failing to Comply Data breaches have resulted in disciplinary actions and fines by the Federal Trade Commission (FTC) in numerous cases. Here are a few examples: r The FTC disciplined a Texas-based mortgage company after it failed to provide reasonable security to protect sensitive customer data. Third-party home sellers were able to access private data without security measures in place. A hacker compromised the data by breaking into a home seller’s computer, obtaining the lender’s credentials and using them to access hundreds of consumer reports. Because this mortgage company had inadequate data protection, they were liable for the security breach. r When hackers stole the personal data of some 46 million customers of retail conglomerate TJX Compa- nies, the FTC attributed the breach to a failure by TJX to use reasonable and appropriate security mea- sures on its networks. As a result, a third party must audit the company every other year for 20 years and TJX must show improvement in its network security, service provider selection and how it handles consumer information. The retailer also negotiated a settlement reported at more than $40 million with Visa International. r After it was discovered that hackers had accessed the sensitive information of hundreds of consum- ers, an online seller of computer supplies was admonished by the FTC. The company failed to provide reasonable security to protect sensitive customer data such as personal information and credit card numbers. The vendor suffered bad publicity and diminished overall customer confidence. Source: www.ftc.gov WP090991 8/09

Recommended

Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
eCrime-report-2011-accessible
eCrime-report-2011-accessibleeCrime-report-2011-accessible
eCrime-report-2011-accessibleCharmaine Servado
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmDavid Sweigert
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity EssayMichael Solomon
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
 
In the news
In the newsIn the news
In the newsRob Wilson
 

Recommended

Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
eCrime-report-2011-accessible
eCrime-report-2011-accessibleeCrime-report-2011-accessible
eCrime-report-2011-accessibleCharmaine Servado
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmDavid Sweigert
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity EssayMichael Solomon
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
 
In the news
In the newsIn the news
In the newsRob Wilson
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory ComplianceLifeline Data Centers
 
Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals Richard Brzakala
 
2017 cost of cyber crime study accenture
2017 cost of cyber crime study accenture2017 cost of cyber crime study accenture
2017 cost of cyber crime study accenturejob Titri company
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the BoardroomMarko Suswanto
 
Cost of Cybercrime 2017
Cost of Cybercrime 2017Cost of Cybercrime 2017
Cost of Cybercrime 2017Paperjam_redaction
 
Briefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionBriefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionThe Economist Media Businesses
 
Cyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsCyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsColleen Beck-Domanico
 
Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsAbdul-Hakeem Ajijola
 
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsTo Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsElizabeth Dimit
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesTripwire
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The BoardPaul Melson
 
IREC165473PR RP 2017 Security Outlook
IREC165473PR RP 2017 Security OutlookIREC165473PR RP 2017 Security Outlook
IREC165473PR RP 2017 Security OutlookChris Cornillie
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsJason Dover
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityShareDocView.com
 
Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Dawn Yankeelov
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...SafeNet
 
Cyber Insurance Temp
Cyber Insurance TempCyber Insurance Temp
Cyber Insurance TempRohan Sehgal
 
Banks and cybersecurity v2
Banks and cybersecurity v2Banks and cybersecurity v2
Banks and cybersecurity v2Semir Ibrahimovic
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The Economist Media Businesses
 
Finding a strategic voice
Finding a strategic voiceFinding a strategic voice
Finding a strategic voiceIBM India Smarter Computing
 
State of Security Operations 2016
State of Security Operations 2016State of Security Operations 2016
State of Security Operations 2016Tim Grieveson
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 

More Related Content

What's hot

Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory ComplianceLifeline Data Centers
 
Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals Richard Brzakala
 
2017 cost of cyber crime study accenture
2017 cost of cyber crime study accenture2017 cost of cyber crime study accenture
2017 cost of cyber crime study accenturejob Titri company
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the BoardroomMarko Suswanto
 
Briefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionBriefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionThe Economist Media Businesses
 
Cyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsCyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsColleen Beck-Domanico
 
Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsAbdul-Hakeem Ajijola
 
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsTo Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsElizabeth Dimit
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesTripwire
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The BoardPaul Melson
 
IREC165473PR RP 2017 Security Outlook
IREC165473PR RP 2017 Security OutlookIREC165473PR RP 2017 Security Outlook
IREC165473PR RP 2017 Security OutlookChris Cornillie
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsJason Dover
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityShareDocView.com
 
Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Dawn Yankeelov
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...SafeNet
 
Cyber Insurance Temp
Cyber Insurance TempCyber Insurance Temp
Cyber Insurance TempRohan Sehgal
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The Economist Media Businesses
 

What's hot (20)

Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
 
Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals
 
2017 cost of cyber crime study accenture
2017 cost of cyber crime study accenture2017 cost of cyber crime study accenture
2017 cost of cyber crime study accenture
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the Boardroom
 
Cost of Cybercrime 2017
Cost of Cybercrime 2017Cost of Cybercrime 2017
Cost of Cybercrime 2017
 
Briefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionBriefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimension
 
Cyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsCyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial Institutions
 
Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of Directors
 
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsTo Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
To Be Great Enterprise Risk Managers, CISOs Need to Be Great Collaborators
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & Executives
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The Board
 
IREC165473PR RP 2017 Security Outlook
IREC165473PR RP 2017 Security OutlookIREC165473PR RP 2017 Security Outlook
IREC165473PR RP 2017 Security Outlook
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant Environments
 
Leveraging Board Governance for Cybersecurity
Leveraging Board Governance for CybersecurityLeveraging Board Governance for Cybersecurity
Leveraging Board Governance for Cybersecurity
 
Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
 
Cyber Insurance Temp
Cyber Insurance TempCyber Insurance Temp
Cyber Insurance Temp
 
Banks and cybersecurity v2
Banks and cybersecurity v2Banks and cybersecurity v2
Banks and cybersecurity v2
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...
 
Finding a strategic voice
Finding a strategic voiceFinding a strategic voice
Finding a strategic voice
 

Similar to managed-security-for-a-not-so-secure-world-wp090991

State of Security Operations 2016
State of Security Operations 2016State of Security Operations 2016
State of Security Operations 2016Tim Grieveson
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber securityWGroup
 
Networkers cyber security market intelligence report
Networkers cyber security market intelligence reportNetworkers cyber security market intelligence report
Networkers cyber security market intelligence reportSimon Clements FIRP DipRP
 
Why Accountants Can’t Afford to Ignore Cyber Security in 2023
Why Accountants Can’t Afford to Ignore Cyber Security in 2023Why Accountants Can’t Afford to Ignore Cyber Security in 2023
Why Accountants Can’t Afford to Ignore Cyber Security in 2023incmagazineseo
 
MCGlobalTech Commercial Cybersecurity Capability Statement
MCGlobalTech Commercial Cybersecurity Capability StatementMCGlobalTech Commercial Cybersecurity Capability Statement
MCGlobalTech Commercial Cybersecurity Capability StatementWilliam McBorrough
 
Cybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesCybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesJoseph DeFever
 
What is cyber security
What is cyber securityWhat is cyber security
What is cyber securitySAHANAHK
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants- Mark - Fullbright
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software developmentMuhammadArif823
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141sraina2
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)Sarah Jarvis
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
IT Executive Guide to Security Intelligence
IT Executive Guide to Security IntelligenceIT Executive Guide to Security Intelligence
IT Executive Guide to Security IntelligencethinkASG
 
Cyber Risk Quantification for Employees | Safe Security
Cyber Risk Quantification for Employees | Safe SecurityCyber Risk Quantification for Employees | Safe Security
Cyber Risk Quantification for Employees | Safe SecurityRahul Tyagi
 
Top 3 security concerns for enterprises
Top 3 security concerns for enterprisesTop 3 security concerns for enterprises
Top 3 security concerns for enterprisesTaranggg11
 

Similar to managed-security-for-a-not-so-secure-world-wp090991 (20)

State of Security Operations 2016
State of Security Operations 2016State of Security Operations 2016
State of Security Operations 2016
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber security
 
Networkers cyber security market intelligence report
Networkers cyber security market intelligence reportNetworkers cyber security market intelligence report
Networkers cyber security market intelligence report
 
Why Accountants Can’t Afford to Ignore Cyber Security in 2023
Why Accountants Can’t Afford to Ignore Cyber Security in 2023Why Accountants Can’t Afford to Ignore Cyber Security in 2023
Why Accountants Can’t Afford to Ignore Cyber Security in 2023
 
MCGlobalTech Commercial Cybersecurity Capability Statement
MCGlobalTech Commercial Cybersecurity Capability StatementMCGlobalTech Commercial Cybersecurity Capability Statement
MCGlobalTech Commercial Cybersecurity Capability Statement
 
Cybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & PracticesCybersecurity: Perceptions & Practices
Cybersecurity: Perceptions & Practices
 
What is cyber security
What is cyber securityWhat is cyber security
What is cyber security
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software development
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
IT Executive Guide to Security Intelligence
IT Executive Guide to Security IntelligenceIT Executive Guide to Security Intelligence
IT Executive Guide to Security Intelligence
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And Security
 
Qradar Business Case
Qradar Business CaseQradar Business Case
Qradar Business Case
 
Cyber Risk Quantification for Employees | Safe Security
Cyber Risk Quantification for Employees | Safe SecurityCyber Risk Quantification for Employees | Safe Security
Cyber Risk Quantification for Employees | Safe Security
 
Top 3 security concerns for enterprises
Top 3 security concerns for enterprisesTop 3 security concerns for enterprises
Top 3 security concerns for enterprises
 

More from Jim Romeo

Jim romeo b2 b copywriter - how long should blogs be
Jim romeo b2 b copywriter - how long should blogs beJim romeo b2 b copywriter - how long should blogs be
Jim romeo b2 b copywriter - how long should blogs beJim Romeo
 
Jim Romeo - B2B Copywriter - Supply Chain, Logistics, Software, High-Tech
Jim Romeo - B2B Copywriter - Supply Chain, Logistics, Software, High-TechJim Romeo - B2B Copywriter - Supply Chain, Logistics, Software, High-Tech
Jim Romeo - B2B Copywriter - Supply Chain, Logistics, Software, High-TechJim Romeo
 
AST-0002415_MobileSecurity-CIO
AST-0002415_MobileSecurity-CIOAST-0002415_MobileSecurity-CIO
AST-0002415_MobileSecurity-CIOJim Romeo
 
PulseSecure_Report_HybridIT_120715
PulseSecure_Report_HybridIT_120715PulseSecure_Report_HybridIT_120715
PulseSecure_Report_HybridIT_120715Jim Romeo
 
IN-N-OUT BURGER
IN-N-OUT BURGERIN-N-OUT BURGER
IN-N-OUT BURGERJim Romeo
 
Chemical Industry in China
Chemical Industry in ChinaChemical Industry in China
Chemical Industry in ChinaJim Romeo
 
Automotive Logistics Magazine - The Automotive South -Working II
Automotive Logistics Magazine - The Automotive South -Working IIAutomotive Logistics Magazine - The Automotive South -Working II
Automotive Logistics Magazine - The Automotive South -Working IIJim Romeo
 
2_24551_Virtualization_SC_0113
2_24551_Virtualization_SC_01132_24551_Virtualization_SC_0113
2_24551_Virtualization_SC_0113Jim Romeo
 
Counterculture Linux Article
Counterculture Linux ArticleCounterculture Linux Article
Counterculture Linux ArticleJim Romeo
 
Maritime Executive_Out of Gauge CArgo
Maritime Executive_Out of Gauge CArgoMaritime Executive_Out of Gauge CArgo
Maritime Executive_Out of Gauge CArgoJim Romeo
 
Maritime Executive_HMorrison
Maritime Executive_HMorrisonMaritime Executive_HMorrison
Maritime Executive_HMorrisonJim Romeo
 
Cistera Networks Q and A
Cistera Networks Q and ACistera Networks Q and A
Cistera Networks Q and AJim Romeo
 
FUEL-cleanEnergy
FUEL-cleanEnergyFUEL-cleanEnergy
FUEL-cleanEnergyJim Romeo
 
AST-0002415_MobileSecurity-CIO
AST-0002415_MobileSecurity-CIOAST-0002415_MobileSecurity-CIO
AST-0002415_MobileSecurity-CIOJim Romeo
 
Dell_whitepaper[1]
Dell_whitepaper[1]Dell_whitepaper[1]
Dell_whitepaper[1]Jim Romeo
 
PulseSecure_Report_HybridIT_120715
PulseSecure_Report_HybridIT_120715PulseSecure_Report_HybridIT_120715
PulseSecure_Report_HybridIT_120715Jim Romeo
 

More from Jim Romeo (16)

Jim romeo b2 b copywriter - how long should blogs be
Jim romeo b2 b copywriter - how long should blogs beJim romeo b2 b copywriter - how long should blogs be
Jim romeo b2 b copywriter - how long should blogs be
 
Jim Romeo - B2B Copywriter - Supply Chain, Logistics, Software, High-Tech
Jim Romeo - B2B Copywriter - Supply Chain, Logistics, Software, High-TechJim Romeo - B2B Copywriter - Supply Chain, Logistics, Software, High-Tech
Jim Romeo - B2B Copywriter - Supply Chain, Logistics, Software, High-Tech
 
AST-0002415_MobileSecurity-CIO
AST-0002415_MobileSecurity-CIOAST-0002415_MobileSecurity-CIO
AST-0002415_MobileSecurity-CIO
 
PulseSecure_Report_HybridIT_120715
PulseSecure_Report_HybridIT_120715PulseSecure_Report_HybridIT_120715
PulseSecure_Report_HybridIT_120715
 
IN-N-OUT BURGER
IN-N-OUT BURGERIN-N-OUT BURGER
IN-N-OUT BURGER
 
Chemical Industry in China
Chemical Industry in ChinaChemical Industry in China
Chemical Industry in China
 
Automotive Logistics Magazine - The Automotive South -Working II
Automotive Logistics Magazine - The Automotive South -Working IIAutomotive Logistics Magazine - The Automotive South -Working II
Automotive Logistics Magazine - The Automotive South -Working II
 
2_24551_Virtualization_SC_0113
2_24551_Virtualization_SC_01132_24551_Virtualization_SC_0113
2_24551_Virtualization_SC_0113
 
Counterculture Linux Article
Counterculture Linux ArticleCounterculture Linux Article
Counterculture Linux Article
 
Maritime Executive_Out of Gauge CArgo
Maritime Executive_Out of Gauge CArgoMaritime Executive_Out of Gauge CArgo
Maritime Executive_Out of Gauge CArgo
 
Maritime Executive_HMorrison
Maritime Executive_HMorrisonMaritime Executive_HMorrison
Maritime Executive_HMorrison
 
Cistera Networks Q and A
Cistera Networks Q and ACistera Networks Q and A
Cistera Networks Q and A
 
FUEL-cleanEnergy
FUEL-cleanEnergyFUEL-cleanEnergy
FUEL-cleanEnergy
 
AST-0002415_MobileSecurity-CIO
AST-0002415_MobileSecurity-CIOAST-0002415_MobileSecurity-CIO
AST-0002415_MobileSecurity-CIO
 
Dell_whitepaper[1]
Dell_whitepaper[1]Dell_whitepaper[1]
Dell_whitepaper[1]
 
PulseSecure_Report_HybridIT_120715
PulseSecure_Report_HybridIT_120715PulseSecure_Report_HybridIT_120715
PulseSecure_Report_HybridIT_120715
 

managed-security-for-a-not-so-secure-world-wp090991

  • 1. CIOs need a strategy for a secure enterprise in today’s insecure world. It turns out that the infamous TJX Companies breach in January 2007 was only the tip of the iceberg: there has been an explosion of data security incidents in the past few years. In 2008, the Identity Theft Resource Center (ITRC) reported 656 breaches, a 47 percent increase over 2007. And there have been 213 data breaches in the first five months of this year alone. This risky data environment is colliding with an IT landscape of shrinking resources. An April 2009 Lieberman Software survey of IT professionals discovered that 60 percent of respondents work at organizations that have cut their IT budgets, and 40 percent of organi- zations have reduced their IT teams. Such cuts leave fewer resources available to handle the ongoing need for compliance with a bevy of regulations—from the Sarbanes-Oxley Act (SOX) to the Health Insur- ance Portability and Accountability Act (HIPAA) to the Payment Card White Paper: Managed Security Managed Security for a Not-So-Secure World WP090991 8/09
  • 2. Industry Data Security Standard (PCI DSS)—to whatever new transparency requirements will arise from the banking crisis. But business must go on. CIOs must manage security risks while addressing business needs and focusing on revenue-generating activities. This paper offers a strategy for providing data security and protection that addresses the rising data threat landscape, the need for compliance, and today’s lean IT staffs. Good Enough Isn’t Always Enough Unlike conventional projects with a beginning, middle and an end, IT security is never finished. The security program implemented yesterday may not be adequate tomorrow because new threats arise every day. Opportunistic predators, for example, exist both inside and outside the organization. Organized crime is a ma- jor concern from a financial perspective because their motivation is typically financial gain, which causes them to continually seek out potential network infrastructure vulnerabilities, and create new viruses and worms. This has significantly raised the quality of threats that com- panies must defend themselves against. Though most IT managers are vigilant and diligent in us- ing the tools they have to protect corporate data, there are often blind spots that these predators will find and exploit. Ensuring corporate data is safe takes consider- able proactive, continual monitoring—or outside help. “Keeping up with the high traffic in vulnerability disclo- sures is a perennial challenge and an important part of our program since we focus on proactively identifying and remediating risks,” says Michael Glenn, director of information security and chief information security official (CISO) at Qwest Communications International Inc., a managed security provider. “We have to balance our re- sources between our proactive, innovative programs and our reactive obligations, including a growing list of compli- ance auditing, certification and reporting activities.” Those compliance issues can be burdensome. Mandat- ed compliance with a wide and growing variety of state, federal and industry regulations places an increasing strain on IT staff. Being Compliant Some of these regulations, or parts of them, promote data protection within particular industries. For ex- ample, the Gramm-Leach-Bliley Act (GLBA) has privacy stipulations to protect information in the financial ser- vices industry, including companies providing financial products and services to consumers. For example, the GLBA’s Financial Privacy Rule requires financial institu- tions to give their customers privacy notices that ex- plain the institution’s information collection and sharing practices. In addition, customers have the right to limit the sharing of their information. Failure to comply with these regulations can lead to stiff penalties—HIPAA fines, for example, can be as high as $50,000 per violation. And the American Recovery and Reinvestment Act of 2009 will further tighten HIPAA’s privacy and security rules for data breach notification, enforcement, audit trails and encryption. Then there’s the PCI DSS, which governs payment card transactions. Here again, noncompliance can be expensive: for ex- ample, Visa could fine transaction processors between $5,000 and $25,000 a month if the merchants or retail- ers they represent are not PCI compliant. What’s troublesome is that companies often think they’re in compliance but end up finding out the hard way that they’re not. Take the examples of RBS World- Pay and Heartland Payment Systems, which process credit card payments. Before the end of 2008, they were believed to be PCI compliant. However, hackers tapped into their data, including cardholders’ private informa- tion. The point is that just checking a checkbox for compliance may not protect your organization’s data; you must have solid security practices in place to first protect data, and then meet compliance obligations. For more information about Qwest’s managed security services, visit us at www.qwest.com/business [2] Qwest White Paper: Managed Security WP090991 8/09
  • 3. There are intangible costs as well. A breach in security of this magnitude causes a lack of confidence among cur- rent and prospective customers. CIOs and IT managers recognize this threat. In a recent survey conducted by IDG Research Services on behalf of Fiberlink Communi- cations, 81 percent of respondents said that damage to their company’s reputation from a data breach was their greatest concern, followed by legal consequences and costs (79 percent) and loss of critical data (74 percent). Things like proactive network monitoring, testing and tracking, complex firewall configuration, a comprehen- sive vulnerability management program, centralized logging and auditing, an access control program, and sound, comprehensive security policies are necessary for a good security program and to meet compliance obligations. Considerable staff and resources are also required. So, how does the CIO face these challenges? Outsourcing Managed Security Given the security risk climate and the reduction in IT staffs, working with an IT and security service provider is more practical. With the appropriate foundation of outsourced services, security becomes manageable and reliable. Of course, cost is a consideration. You should conduct a thorough analysis of the time and expenses involved in using internal resources and then weigh it against an outsourcing provider’s cost model. For example, the cost of managing and configuring technology is a key component of the total cost of a security program. And you have to consider whether your in-house expertise is up to the task. “Inevitably, difficult economic times can cause other- wise good people to make poor decisions,” says Glenn. “I expect to see a continued need for vigilance against malicious software and attacks like spear phishing that are rooted in fraud, along with the ever-present insider threat. In a downturned economy, you do not want to be significantly cutting your information security program.” To stay abreast of vulnerabilities and threats, IT person- nel must continually expand their knowledge and exper- tise, which can be challenging if budgets do not allow for a fully dedicated security staff or ongoing training. In addition, expert security professionals, especially those with credentials from professional associations, are in high demand, so retaining them can be difficult. On the flipside, a well-recognized, comprehensive security service provider has already gone through the rigors of recruiting and training quality security person- nel. In addition, these teams have been exposed to a variety of enterprise security challenges from a diverse clientele. Tapping into this expertise offers not only a skilled security strategy, but also a fresh look at how to address risks. Another consideration is that IT and business processes are often in flux, due to changing market conditions and business demands. Managing them requires both time and broad experience; organizations with tight IT budgets can suffer process management constraints. An outsourcing partner can add value by bringing a wide range of expertise and the ability to look at the entire scope of a company’s processes to identify potential obstacles or problem areas. Employing the best people and processes are only parts of the equation. You also need the right tech- [3] Qwest White Paper: Managed Security Benefits of an Outsourcing Partner r Staff: Professionally trained talent to manage and implement security programs and plans r Solutions: Carefully researched and selected security technologies r Cost: Lower total cost of ownership for labor and technology through scaling, configuration, maintenance of technology solutions, training personnel, and research- ing processes and products r Knowledge: Experience and knowledge base to discover vulnerabilities, face new security threats and solve complex security problems WP090991 8/09
  • 4. nology. Because new security tools and solutions are introduced every day, evaluating, purchasing and maintaining them requires time and an understanding of how they will best fit the organization. A feasible alternative is to lean on a managed security provider that has experience with a wide variety of solutions, and that can provide a thorough analysis of which tools are most appropriate. Conclusion In the IT landscape, vulnerabilities and threats arise constantly while new and shifting compliance regula- tions place increased pressure on data protection. And CIOs must face these issues with reduced staff and contracted budgets. A solid relationship with a managed service provider can be of great help, freeing CIOs to focus on core business operations, build better relationships with stakeholders and ultimately achieve short and long- term business goals. Using managed services to address security risks is a best practice to reduce costs, ensure compliance and allow IT staff to focus on critical busi- ness operations. Glenn offers this closing advice: “Spend just as much, and preferably more of your energy on building rela- tionships with key stakeholders across your enterprise than you spend learning the bits and bytes of the latest technical toy. If you have the right relationships with your business, you can always find a means to accom- plish your objectives by making your business success- ful through good security practices and risk manage- ment. Learning those technical means together gives you more credibility.” Take an honest look at your internal capabilities, and compare them to what a managed security services provider can offer, including economies of scale. It’s likely that a security strategy that includes outsourcing in its mix will be a cost-effective, practical and winning solution. [4] Qwest White Paper: Managed Security Failing to Comply Data breaches have resulted in disciplinary actions and fines by the Federal Trade Commission (FTC) in numerous cases. Here are a few examples: r The FTC disciplined a Texas-based mortgage company after it failed to provide reasonable security to protect sensitive customer data. Third-party home sellers were able to access private data without security measures in place. A hacker compromised the data by breaking into a home seller’s computer, obtaining the lender’s credentials and using them to access hundreds of consumer reports. Because this mortgage company had inadequate data protection, they were liable for the security breach. r When hackers stole the personal data of some 46 million customers of retail conglomerate TJX Compa- nies, the FTC attributed the breach to a failure by TJX to use reasonable and appropriate security mea- sures on its networks. As a result, a third party must audit the company every other year for 20 years and TJX must show improvement in its network security, service provider selection and how it handles consumer information. The retailer also negotiated a settlement reported at more than $40 million with Visa International. r After it was discovered that hackers had accessed the sensitive information of hundreds of consum- ers, an online seller of computer supplies was admonished by the FTC. The company failed to provide reasonable security to protect sensitive customer data such as personal information and credit card numbers. The vendor suffered bad publicity and diminished overall customer confidence. Source: www.ftc.gov WP090991 8/09