What’s Wrong With Security?

Viruses, hacker exploits and dishonest employees don’t begin to the cover the many ways data and systems can be compromised. Meanwhile, according to our global security survey, just 37 percent of respondents had an overall security strategy in place. We asked five information security experts which security problems need the most attention, and what they would do to fix them.

Ed Amoroso

Chief Security Officer, AT&T

From what I’ve seen, CIOs do not have a good understanding of how vulnerable (or not) their businesses are to malicious attack.

Some CIOs incorrectly assume they can reduce their security budgets because they have not been hit recently with a virus. This is not an accurate security metric, by any means. On the other end of the spectrum, we see CIOs who cry wolf at every opportunity, referring to the mostly useless alarms generated by intrusion detection systems as “attacks.” This is a similarly inappropriate metric, leading to decisions based on exaggerated risk.

There is no simple solution to this tough problem. In fact, the only way to fix it is through the gradual and painful maturation process that the information security discipline must undergo. Every professional field—especially in science and engineering—begins with wild swings between what is viewed as reasonable and what is viewed as nonsense. Mathematics has its numerology, chemistry has its alchemy, astronomy has its astrology, and so on. Information security, as a discipline, must weed out silly and inaccurate views. This will result in a more mature field, one based on well-founded underlying scientific and engineering principles. Medicine, for example, is based on biology, chemistry and the like. An information security profession should be based on mathematics, system engineering and computing. Only then will CIOs have a reasonable base on which to determine whether they are vulnerable.

Paul Stamp

Senior Analyst, Enterprise Security Technologies, Forrester Research

The biggest problem I see is how to adapt to changing business climates. We’re fundamentally changing the way we do business. We’re sharing data with people we never thought we’d need to share data with. We get access to our data from all sorts of places, from our offices in upstate New York to coffeehouses in Bangkok. At the same time, compliance mandates mean that we’re ever more accountable for the data we store and process. And security spending is shrinking as a proportion of overall IT budgets.

The typical IT security model today often amounts to a smattering of Band-Aid solutions that fail to address underlying causes of what is causing the security problems in the first place. What’s more, we assume that the good guys are “inside” our environment, and the bad guys “outside,” whereas in reality we often share more sensitive information with contractors and suppliers than we do with our own employees. Most security controls assume that we control the infrastructure where our information resides.

CIOs must create a new security model, one that includes these steps:

Articulate the value of security. CIOs need to be able to talk about the most important information risk management challenges facing the organization, and how these challenges affect the way the organization does business.

Create a proactive security plan. Instead of simply responding to the latest threat or compliance mandate, get more involved with the business and start setting security requirements right at the start of the business requirements definition stage. Then you can start to design security into your IT environment, rather than tacking it on at the end.

Identify and protect critical information assets. Since our IT environments are now so diverse, we can’t expect to secure everything. So we need to concentrate more on securing our critical assets. That means knowing what those information assets are, and where they end up throughout the information lifecycle, and that’s harder than you’d think since most businesses haven’t done a thorough examination of their business processes. We then need to embed security into all our processes to make sure that information is protected whenever and wherever it is.

Ira Winkler

President, Internet Security Advisors Group

Compliance is giving short shrift to proactive security. Today’s security budgets are being disproportionately allocated to what is scrutinized the most, rather than what is most valuable. Compliance-driven security concerns only financial systems and fails to protect intellectual property (IP) systems and others that have core value to the organization. CIOs must have auditors look at non-financial systems and make systems to protect IP a requirement.

Furthermore, many CIOs still allocate money to IT security according to an information systems management mindset. They’re saying, If we spend $100 million on computers, we’ll spend 5 percent to protect those computers. But IT security is about protecting the value those computers represent—that is, the value of the information, which has very little to do with how much the computers cost. A bank is not protecting $100 million of technology; a bank is protecting the quarter-trillion dollars a year in transactions through those computers.

To get buy-in for an appropriate budget, you must represent security in business and financial terms. Let’s say you have a formula for a pharmaceutical drug, Drug X. If the formula for Drug X gets out, for example, that leak will cost X amount of dollars in revenue. And that equates to a loss of market capitalization. If you lose 10 percent of Drug X sales to the black market, maybe that comprises 5 percent of the pharmaceutical company’s annual revenue. That is demonstrable loss to justify your budget.

Stuart M. McGuigan

Senior Vice President and CIO, Liberty Mutual Group

The most pressing security challenge we face is running an effective program that still enables business growth and agility. The security choices we make must be based on common sense and sound, practical risk management rather than a knee-jerk reaction to a new risk that, in reality, has a low probability of affecting the company. To ensure that our decisions are practical, we work with our business units to help them understand the information security risks and exposures that the company actually faces, rather than overreact to what is in the press at the time.

Once security policies and investment decisions have been made, IT focuses on minimizing the impact we have on our business operations as we implement our security capabilities. Publishing a policy without an implementation plan could cause unnecessary work for our business and system support groups. Likewise, selecting too-difficult or too-expensive security controls will result in a larger business impact than is justified for mitigating the risk.

As an example of this, Liberty Mutual identified the need to improve authentication (e.g., the process of verifying you are who you say you are) for specific business reasons. A policy was established and an initial technology direction was set. After carefully assessing the business factors and implications, we selected a simple two-factor authentication method that involved asking users a second question to identify themselves (such as providing their mother’s maiden name, or the name of their favorite sports team). This solution turned out to be much simpler, more intuitive and less expensive than requiring the business users to carry a remote keypad, bingo card or some other type of hardware device to identify themselves. This solution will enable us to manage costs while providing a faster path to fuller adoption of the technology and the realization of its security benefits.

Lastly, we want to meet regulatory requirements appropriately. If we focus on doing the right things for our business and for our customers, our security protections should be enablers to our business operations. Our regulatory compliance should then be a natural by-product of these “customer care” principles. A good example of this is our response to the data breach notification laws. We addressed some of our risks related to these laws with hard-drive encryption for our laptops. We worked with one of our key customers to ensure that sensitive information stored on laptops and used to conduct business with them was adequately protected from unauthorized access. Our encryption solution did not affect laptop access or speed.

Jay White

Global Information Protection Architect, Chevron

One of IT’s most pressing issues today is securing the computer systems used to monitor and control equipment in critical industries such as oil, gas and water. These industrial measurement and control systems, called Supervisory Control and Data Acquisition (SCADA), have automated the manufacturing process and safety systems in refineries, chemical plants and offshore platforms. They monitor and control such things as pipeline pressure, wellhead pressure and storage tank levels of very volatile materials.

Because these processes are typically running on PCs or servers and they are connected to the office networks, they are susceptible to many of the same threats and vulnerabilities as back office systems. Unfortunately, the vendors of SCADA hardware have not recognized the need to address security. It’s up to IT to step in and help operations and manufacturing address the problem. Chevron is working with the SCADA vendors to define and address security requirements.

In the past, manufacturing has been resistant. But it’s critical that they are brought together. Because they have traditionally not been networked beyond their SCADA systems, the manufacturing side usually doesn’t see a vulnerability to spyware and worms, for example. CIOs have done an excellent job of identifying those types of threats and vulnerabilities to back office systems, and they can take that to the manufacturing side.

The first step is for CIOs to help their manufacturing compatriots understand they have a problem. I would get support from the COO to do a security assessment of the process automation system and determine manufacturing’s vulnerabilities. I would answer the question, What would occur if these vulnerabilities went unchecked? Then I would take those results to the head of manufacturing and say, Here’s how IT can help.

Then I would create a security strategy from four basic IT security tools: policies, processes, people and technology. I would develop operational policies and standards that address security risks and define roles and responsibilities, and define who should take action. For example, I would define the frequency of updating patches and antivirus signatures and who is responsible for executing the task.

An example of a process would be one to assess vulnerabilities by, for instance, checking certain configuration patch levels and network connectivity points on a periodic basis. I would train individuals how to implement security measures and give everyone appropriate technology to carry out security policies. From my perspective, the policies, processes and people are as critical as any technologies we have.