Going beyond technical security controls

Anton last week had this great write-up in ComputerWorld, "Five Basic Mistakes of Security Policy," that hits the 5 basics that so many busy executives look past when leading a security organization.

1. Not having a policy
2. Not updating the policy
3. Not tracking compliance with the policy
4. Having a "tech only" policy
5. Having a large, unwieldy policy

One of the biggest we see every day is #4. Most enterprises have some policy in place that they update (typically annually before a pending audit). Their current compliance tracking is provided by one or more software products that unfortunately don't have the full picture.

The reason why comes down to #4. Traditionally, enterprises have thrown either a vulnerability scanner, security event/log manager or another security software application at a list of IP addressable assets...generate a few reports...and hope they have things covered.

The truth be told, this misses so much of the full picture (over 50% per previous blog posts) that even the internal or external auditors don't have enough time to do a comprehensive review. The goal of those auditors is not a "witch hunt," it's suppose to be to protect the company! So what happens is each year, things get more and more detailed (which is good) as findings from the prior year are addressed allowing them to "peel the onion" back another layer.

This is why we are seeing the emergence of the IT GRC market that compliments and extends these products you point at IP addressable assets. These solutions use automation techniques to assess security controls around things that are not IP addressable (e.g., people, processes, facilities). The other need these products are offering is a normalized, unified view of the entire security program. Leveraging scoring from other products, they finally deliver the possibility of 100% visibility into the posture of your entire IT security, risk or compliance program.

PCI Compliance not going away - 42% not compliant

My inbox, like yours, is filled with numerous advertisements and spam on a daily basis, but this one actually grabbed my attention! It started out by saying;

"according to VISA, 42% of large and medium-sized US merchants did not reach their respective PCI compliance deadlines. The penalty of non-compliance is merchants incur monthly fines (up to $25,000) until they meet and sustain data security compliance requirements."

Now that is some attention grabbing marketing and I plan to be on that virtual seminar.

Almost half (and that's not a stacked number including small US merchants) is a very surprising number. I looked around trying to find information behind the survey results but to no avail, so I'll be listening on the call for some details and facts to back it up. Being that our IT GRC solution helps ensure that an enterprise is completely compliant with any regulation, I would like to hear what the top 2 or 3 reasons are they aren't yet compliant to see if they map up to what we are hearing.

Gartner IT GRC Predictions

I just had a chance to take a look at some recent research put out by Gartner on the IT Governance, Risk & Compliance Management space (IT-GRC).

They do an artful job laying out the customer desired capabilities and scoping the size of the market opportunity.

A couple key points to soak in:

• IT GRCM products provide functions that address needs expressed by 75% of the Gartner client base.
• Gartner estimates that software license revenue for vendors...was $73million for 2007, and we project a growth rate of 70% for 2008.
  

This reinforces previous posts with hard numbers that 2008 is indeed the year of IT Risk Managment. Here are links to those previous posts...

• 2008 - The Year of IT Risk Management
• 2008 - The Year of IT Risk Management, Part 2 - Rise of IT GRC
• 2008 - The Year of IT Risk Management, Part 3 - More and more GRC oriented predictions

I highly recommend heading up to Gartner's website and reading each report;

• MarketScope for IT Governance, Risk and Compliance Management, 2008
• Critical Capabilities for IT GRCM Tools

Then come take a look at how Securityworks can help solve your IT-GRC needs by accomplishing those defined needs and capabilities.

What is GRC vs. IT GRC - How does it help IT Security mature to the next level?

AMR Research shows that total GRC spending approached $30B last year. The technology portion (e.g., software, hardware & integration services) of that spending is around a third of it (approximately $10B).

GRC is a very broadly defined space - very broad! To gain a better understanding and appreciation for that, here is a newly released map that identifies various areas and their relationships.

Another AMR Research note talks about the current maturity point of Enterprises implementing GRC.

So where does Securityworks play in this "GRC Ecosystem?" We are coming at it through the eyes of an IT Security Executive.

Our goal - How can we make the IT audit process more efficient and less frustrating for the IT security organization? When you look back at the model above we fit in the area called "IT GRC" which leverages/compliments current IT security management investments (e.g., vulnerability scanning, configuration policy management, SIEM) to accomplish this. If your enterprise already leverages these products then its ready for the next step in the maturity curve, which is IT GRC. Just to get an idea of some the unique capabilities that extend your current IT Security investments please check out our newly posted product demos. Live product in action, no sign-up requirements, etc. Just pure knowledge.

Compliance costs not slowing down - technology automation to the rescue

Deloitte - Navigating the Compliance Labyrinth offers some great tidbits from recent surveying of financial executives.

• Compliance continues to increase - from 2.83% of net income in 2002 to 3.69% of net income in 2006.
• Primary costs continue to be driven through applying people, not technology to the problem.
• and the kicker from our perspective, measuring compliance performance remains largely a qualitative rather than a quantitative process. Only 55% of financial institutions reported using quantitative metrics, implying a limited application of process management tools and methodology.

Forget the name of the segment (e.g., GRC, IT-GRC, ERM, VM). The bottom line is taking a process management based approach with technology. Commercial solutions (not home grown) that offer enterprises the opportunity to leverage technology automation to reduce people doing mundane/manual tasks producing the result of reduced compliance costs!

2008 - The Year of IT Risk Management, Part 3 - More and more GRC oriented predictions!

I keep thinking I'm going to be able to move onto other topics related to IT Risk & Compliance management but it's hard to when my blog reader keeps popping up more and more articles and postings which talk about 2008 predictions and how GRC and IT GRC are going to be the "in thing" this year for IT Security groups.

IT & Compliance: 5 Big Predictions for 2008 hightlights "...Managerial evolutions, such as process-centric IT and better application of risk-management principles to information security management, will help companies refine and streamline IT governance and compliance."

The post continues on later with two of the five predictions hitting on capabilities or features of IT GRC products.

2008 - The Year of IT Risk Management?

I've been busy over the holidays enjoying everyones blogs and articles recapping 2007 and making predictions for 2008. Among other things highlighted in those articles, a common point pertains to Securityworks around "true" IT Risk Management (what I mean by "true" is the message is coming from companies who didn't adjust their marketing to be en vogue - e.g., SIEM products or Vulnerability Assessment products).

Before IT Risk Management was "cool" Securityworks has been out their working away on it (for over 4 years now).

One of my favorites that highlights this prediction for 2008 is over at Rational Survivability.

-snip-

Compliance stops being a dirty word & Risk Management moves beyond buzzword
Today we typically see the role of information security described as blocking and tackling; focused on managing threats and vulnerabilities balanced against the need to be "compliant" to some arbitrary set of internal and external policies. In many people's assessment then, compliance equals security. This is an inaccurate and unfortunate misunderstanding.

In 2008, we'll see many of the functions of security -- administrative, policy and operational -- become much more visible and transparent to the business and we'll see a renewed effort placed on compliance within the scope of managing risk because the former is actually a by-product of a well-executed risk management strategy.

We have compliance as an industry today because we manage technology threats and vulnerabilities and don't manage risk. Compliance is actually nothing more than a way of forcing transparency and plugging a gap between the two. For most, it's the best they've got.

What's traditionally preventing the transition from threat/vulnerability management to risk management is the principal focus on technology with a lack of a good risk assessment framework and thus a lack of understanding of business impact.

The availability of mature risk assessment frameworks (OCTAVE, FAIR, etc.) combined with the maturity of IT and governance frameworks (CoBIT, ITIL) and the readiness of the business and IT/Security cultures to accept risk management as a language and actionset with which they need to be conversant will yield huge benefits this year.

-snip-

Well said (but then again I'm biased)!

IT Risk Management vs. Information Security survey

I was playing catch-up on blog reading and came across this interesting post by a favorite blogging colleague of mine, Anton Chuvakin, "Review of my 2007 Security Prediction: Too Wimpy."

Prediction #4 about Risk Management lead to some very intriguing survey results. Here is a copy of the graphic from those results which says it all...




A personal point I can add here is this actually makes some sense to me.

Here at Securityworks we are 100% focused on talking IT Risk Management. When I talk with customers they are usually talking (strategic = risk) vs. (tactical = security). Another thing to realize is IT risk encompasses more then technical control monitoring/management solutions (that is only 50% of the scope as discussed in my previous post). IT Risk also spans people & processes (e.g., non-technical controls). Since that typically requires getting into process improvement it is naturally discussed as a strategic initiative due to the time/effort associated with it.

So now with 2007 ending and looking ahead to 2008 we should be trying to use this opportunity to be more strategic before tactical day-to-day tasks re-consume us. IT-GRC solutions (which Gartner, Forrester, etc are calling these solution) help you do this! So go ahead, take a look...this is going to be a hot area for 2008 based on what I'm seeing and hearing for a variety of reasons.

Healthcare Best Practices Security Framework

We are excited to see this announcement about the formation of HITRUST (Health Information Trust Alliance). A health care vertical specific initiative around establishing and collaborating on information security best practices. Why are we excited, our solution (along with other IT-GRC solutions) are specifically designed to enable a major enterprises to consolidate, centralize and simply organize from the top-down their Information Security Framework in an actionable, track-able way.

Is Security about improving the operational efficiency of IT?

Just had the chance to check out Ernst & Young's 10th Annual Global Information Security Survey: Achieving a Balance of Risk & Performance. It's a very details document that has a ton of great information. What caught my eye this morning was the answers to the question:

What is driving information security?

• Compliance with regulations
• Privacy and data protection
• Improving IT and operational efficiency
  

The first two didn't really surprise me, but I found this last one really interesting. After re-reading that section of the survey I found myself re-phrasing it a little into "Improving the operational efficiency of IT." Hmmm, another independent point back to something I was pondering the other day .

These days I'm personally more focused on the vendor side of software product life cycles (e.g., design, implement, test, , feedback). With that said, this smells very similar to the role a Quality Assurance/Testing organization plays to the Development organization. While R&D is focused on understanding what needs to be built and attempting to delivering that capability ASAP, QA is always helping or sometime battling R&D with finding problems/issues/exposure points etc.

The role of security, just like QA, is not to hinder their operational/development counterparts, but to help mitigate exposure/risk in a proactive way. Bottom line, it's been my experience that it's better to find a problem early then late (major cost savings, greater customer satisfaction, etc).

I may be out in left field here but I'm simply pondering out loud the placement and priority given to Security/Risk/Compliance Management versus the overall purpose of the business.

Take a look at the survey and please throw down in the comments what you found interesting.

Is there a "silver bullet" to IT Compliance Management?

Is there a "silver bullet" to IT Compliance Management
by: Ryan Shopp

A few times I've found myself getting confused or having trouble explaining the relationships between policies, standards, controls, audits, etc when answering questions about IT Compliance & Risk Management? I came across a great two part thread in my blog reader that help crystallize things for me. It also enabled me to finally layout a logical response to a request I hear often. Is there a "silver bullet" to my IT compliance program? Here are some of those key points (from that posting) to help me answer that better now.

• ...numerous standards organizations have issued leading or “best” practices for control design and implementation; however, neither SOX (Sarbanes-Oxley Section 404) nor the PCAOB (Public Company Accounting Oversight Board) recommends a specific set of controls.


• ...In 2004, (PCAOB) issued a statement that COSO (“Committee of Sponsoring Organizations’ Internal Control—Integrated Framework"), or any other generally accepted control framework could be used. Note: it did not say COSO was the only one.


• But COSO can pose a problem...COSO doesn’t set out details. As its name implies, it is a framework.


• Each organization must still go through the difficult process of setting out its own system of internal control to meet its perception of COSO—which, in broad terms, is more of a philosophy than a set of rules.


• To fill the gap between theories and practice in implementing effective general IT controls, managers have turned to other externally developed standards and frameworks, such as the Information Technology Infrastructure Library (ITIL) from OGC, CobiT from ISACA, or the 20000-series of information security standards from the ISO/IEC

Bottom line, today there is no "silver bullet" for an enterprise. They can't simply flip a switch (or install a software product) and say "we have all the IT controls in place we need to meet x, y or z." It's a process, which must include a starter kit of controls and then review, massage and even extend based on your unique business vs. compliance requirements. To solve this "process" you need to work to automate various portions of the process itself, only then will IT compliance close in on the proverbial "silver bullet."

Special thanks to Xenia Ley Parker posts on IT Compliance Institute for the informative thread.

Auditor Answer: Can Internal Policies Overrule the "Rules?"
Auditor Answer: What are the "Right" Controls?

Industry trends - Survey results on Risk Management

Industry trends - Survey results on Risk Management -
Posted by: Ryan Shopp

While Bryan continues to blog about practical experiences in IT Risk Management, I'm going to aggregate some key trends and insights on the industry as a hole. As previously promised, we will continue to stay away from product advertisements, etc. Just useful (hopefully) insights.













The Convergence of Physical and Information Security in the context of Enterprise Risk Management. Survey and report conducted by Deloitte.

some key points/snippets from the report:

...As it stands today, senior management typically sees security more as a tactical function than a necessary component of business processes or decision making.

...one of the challenges that must be mastered to achieve value is “integrating security strategy across the enterprise.” Rather than approach security in an uncoordinated and functionalized fashion, businesses need a top-down approach coordinated by a senior executive to
optimize the effectiveness and efficiency of the overall security system.

...for effective risk management, it is necessary to:
• Adopt a common operational framework
• Reduce autonomy while retaining authority
• Collaborate on all forms of enterprise security risks
• Provide better risk information for decision making
• Go beyond data sharing to collaborative planning and decision making

The document is over 50 pages long and also includes example case studies and a ton more graphics with survey results etc. A must for any organization looking to better align their security program with business initiatives and goals. The document even offers a risk management maturity model and insights around climbing up the maturity model.