IT Risk Management vs. Information Security survey

I was playing catch-up on blog reading and came across this interesting post by a favorite blogging colleague of mine, Anton Chuvakin, "Review of my 2007 Security Prediction: Too Wimpy."

Prediction #4 about Risk Management lead to some very intriguing survey results. Here is a copy of the graphic from those results which says it all...




A personal point I can add here is this actually makes some sense to me.

Here at Securityworks we are 100% focused on talking IT Risk Management. When I talk with customers they are usually talking (strategic = risk) vs. (tactical = security). Another thing to realize is IT risk encompasses more then technical control monitoring/management solutions (that is only 50% of the scope as discussed in my previous post). IT Risk also spans people & processes (e.g., non-technical controls). Since that typically requires getting into process improvement it is naturally discussed as a strategic initiative due to the time/effort associated with it.

So now with 2007 ending and looking ahead to 2008 we should be trying to use this opportunity to be more strategic before tactical day-to-day tasks re-consume us. IT-GRC solutions (which Gartner, Forrester, etc are calling these solution) help you do this! So go ahead, take a look...this is going to be a hot area for 2008 based on what I'm seeing and hearing for a variety of reasons.

Healthcare Best Practices Security Framework

We are excited to see this announcement about the formation of HITRUST (Health Information Trust Alliance). A health care vertical specific initiative around establishing and collaborating on information security best practices. Why are we excited, our solution (along with other IT-GRC solutions) are specifically designed to enable a major enterprises to consolidate, centralize and simply organize from the top-down their Information Security Framework in an actionable, track-able way.

Is Security about improving the operational efficiency of IT?

Just had the chance to check out Ernst & Young's 10th Annual Global Information Security Survey: Achieving a Balance of Risk & Performance. It's a very details document that has a ton of great information. What caught my eye this morning was the answers to the question:

What is driving information security?

• Compliance with regulations
• Privacy and data protection
• Improving IT and operational efficiency
  

The first two didn't really surprise me, but I found this last one really interesting. After re-reading that section of the survey I found myself re-phrasing it a little into "Improving the operational efficiency of IT." Hmmm, another independent point back to something I was pondering the other day .

These days I'm personally more focused on the vendor side of software product life cycles (e.g., design, implement, test, , feedback). With that said, this smells very similar to the role a Quality Assurance/Testing organization plays to the Development organization. While R&D is focused on understanding what needs to be built and attempting to delivering that capability ASAP, QA is always helping or sometime battling R&D with finding problems/issues/exposure points etc.

The role of security, just like QA, is not to hinder their operational/development counterparts, but to help mitigate exposure/risk in a proactive way. Bottom line, it's been my experience that it's better to find a problem early then late (major cost savings, greater customer satisfaction, etc).

I may be out in left field here but I'm simply pondering out loud the placement and priority given to Security/Risk/Compliance Management versus the overall purpose of the business.

Take a look at the survey and please throw down in the comments what you found interesting.

Is IT Risk Management the Union of IT Security & IT Operations?

This morning I read this statement from PCI Expert James Deluccia IV and it struck a cord...

-snip-
The best risk management initiatives don't simply protect data, they help the company to run more effectively," he said. "This is the case when equal consideration is given to areas like system continuity and service delivery that support operational measures. It's the blending of business necessity with core methods for data security that ensures overall risk management."
-snip-

Over the last couple years I've read and heard about the pending convergence of Security & Operations Management but we still haven't really seen it occur. With more and more attention being given to Risk, maybe it's right around the corner.

After reading this snip it reminded be of emphasis applied to programs/organizations embracing TQM or other re-engineering practices back in mid-1990's. Security and Operations Managment are rooted in tactically solving pains; Operations focuses on keeping IT resources up and running while Security focuses on protecting those IT resources. Those two ideals, time to time, come into conflict. By taking a business goals driven, "quality-oriented" look at IT fromthe top-down we may find a union between Operations & Security.

The snip was found in article "PCI Expert James DeLuccia IV Suggests Retailers Address Both Sides of Risk Management - Security and Business Availability"

Users continue to ignore security policies, while security organizations are overlooking non-technical controls

IT Compliance Institute had an article posted this morning that reinforces the point; "it's not the software/hardware/infrastructure/etc but the people and processes that expose the biggest risks to a company.

The article doesn't reveal who/where the survey was taken but it does highlight some key security items that people usually cut corners on.

• Fifty-six percent said they had accessed office e-mail via a public wireless hotspot
• 52 percent said they had accessed office e-mail via a public computer.
• Eight percent admitted to having lost a mobile device containing corporate information.
• Sixty-three percent admitted to sending corporate documents to their personal e-mail addresses so they could work at home.

There are security technologies out their (e.g., encryption, data leakage) that can help with each item but the challenge is keeping up with other IT technologies being deployed and business demands/challenges the users are trying to productively solve. Bottom line, you can't bypass making sure you have the right policies, procedures and education in place for your users (aka non-technical controls).

After reading this I decided to do some searching around for some type of survey numbers around technical vs. non-technical controls. I didn't see much out there but did come across this ("Is Information Security Under Control') from IEEE Computer Society published in early 2007.

The survey focused in on 80 of the highest quality security controls as determined by a group of experts. From that list of 80 their wasn't a place that specifically counted the number of non-technical vs. technical controls BUT, there were two very interesting graphs.

The first one (figure 2 in the article. - see below) showed the top 10 with the highest level of quality implementation. It revealed that 6 are technical controls and 4 are non-technical controls. Meanwhile, the second graphic (figure 3 in the article - see below) showed the bottom 10 related to quality of implementation. It revealed that 3 are technical while 7 were non-technical.



So just running crude number here shows 11 of those 20 were non-technical controls while 9 were technical controls. The articles goes on to make the statement "...we found that of all 80 practices surveyed, management controls (non-technical controls) had substantially lower implementation ratings then controls in the technical and operational categories... Organizations must realize that a large proportion of information security problems extend far beyond technology and learn to appreciate the role that less technical controls, such as policy development, play in minimizing security breaches' impact on mission-critical operations.

So this begs the question, "when was the last time your security group considered software products that help with managing these non-technical controls instead of just technical controls?" I've talked with numerous enterprises that have installed or are investigating various software products like Vulnerability Assessment, Patch/Configuration Management, Antivirus, SEIM, data leakage, etc. Maybe it's time to do something for your non-technical controls also and consider adding IT-GRC products to that 2008 budget/priority list.

Data & Application Security demand continues to rise

If you don't have this blog marked in your RSS reader or linked from your blog roll you are missing out! The insights and candid perspectives are outstanding and extremely insightful when you take the time to read and ponder Rich Mogull's perspectives over at www.securosis.com. Here are some recent gems:

Rich recently blogged about the upcoming trend around data and application security driving the security business growth in the next 3-5 years. During that post he articulated the "rise of data security" through a very concise recap on why/how we came to where we are today.

Then I must also give major kudos to his crack editing and spoof video on public sensitive data breaches called Data Breach Wars.

It's extremely entertaining for the first 60 seconds!!! Then unfortunately it starts to drag on a little (sorry Rich, maybe if the scrolling went faster). It does drive home a key point. Data Breaches are not slowing down but increasing exponentially and will continue to increase until Enterprises take a more strategic, not just tactical approach to Security, Risk & Compliance Management of their data and applications.

Is there a "silver bullet" to IT Compliance Management?

Is there a "silver bullet" to IT Compliance Management
by: Ryan Shopp

A few times I've found myself getting confused or having trouble explaining the relationships between policies, standards, controls, audits, etc when answering questions about IT Compliance & Risk Management? I came across a great two part thread in my blog reader that help crystallize things for me. It also enabled me to finally layout a logical response to a request I hear often. Is there a "silver bullet" to my IT compliance program? Here are some of those key points (from that posting) to help me answer that better now.

• ...numerous standards organizations have issued leading or “best” practices for control design and implementation; however, neither SOX (Sarbanes-Oxley Section 404) nor the PCAOB (Public Company Accounting Oversight Board) recommends a specific set of controls.


• ...In 2004, (PCAOB) issued a statement that COSO (“Committee of Sponsoring Organizations’ Internal Control—Integrated Framework"), or any other generally accepted control framework could be used. Note: it did not say COSO was the only one.


• But COSO can pose a problem...COSO doesn’t set out details. As its name implies, it is a framework.


• Each organization must still go through the difficult process of setting out its own system of internal control to meet its perception of COSO—which, in broad terms, is more of a philosophy than a set of rules.


• To fill the gap between theories and practice in implementing effective general IT controls, managers have turned to other externally developed standards and frameworks, such as the Information Technology Infrastructure Library (ITIL) from OGC, CobiT from ISACA, or the 20000-series of information security standards from the ISO/IEC

Bottom line, today there is no "silver bullet" for an enterprise. They can't simply flip a switch (or install a software product) and say "we have all the IT controls in place we need to meet x, y or z." It's a process, which must include a starter kit of controls and then review, massage and even extend based on your unique business vs. compliance requirements. To solve this "process" you need to work to automate various portions of the process itself, only then will IT compliance close in on the proverbial "silver bullet."

Special thanks to Xenia Ley Parker posts on IT Compliance Institute for the informative thread.

Auditor Answer: Can Internal Policies Overrule the "Rules?"
Auditor Answer: What are the "Right" Controls?

A top-down approach to Risk & Compliance Management could have saved TJX some serious money

A top-down approach to Risk & Compliance Management could have saved TJX some serious money.
by: Ryan Shopp

Everyone, including me, keeps reading about the TJX data breach. Here are some prime snippets from a few recent articles I've read.

...Industry analysts have estimated the total costs to TJX from $500 million to as much as $1 billion, when legal settlements and loss of market share and sales are included...

“The TJX breach is a dramatic example of how keeping large amounts of sensitive information – particularly information that is not required for business purposes – for a long time can be a serious liability.”

“At TJX, we have learned a great deal about the risks of cyber attacks and have responded aggressively to take our own security to even higher levels. We have also learned about the heightened security risks that exist across the entire US retail and banking industries as a result of today's high tech criminals."

The bottom line here is, companies could avoid these types of situations if they take a strategic, top-down (aligned with the business goals) approach to IT Risk & Compliance management versus simply applying a variety of point-solutions. Many times the major gaps will be found in people or process, not technology.

These snippets were taken from the following articles written by Banking Information Security;
TJX, Visa Agree to $40.9 Million Payout for Data Breach - December 2007
TJX Update: Breach Worse Than Reported - October 2007
TJX Report: Wake-up Call for All Institutions - September 2007