by Bill Brenner

Why CIOs are Resetting Information Security Priorities

Sep 29, 2010

Business partners with shoddy information security. Cloud computing vendors with dubious risk controls. What’s a CIO to do? Our annual Global Information Security Survey tracks the trends.

The threats and challenges you face haven’t changed much in the past year, but you’re finding a better recipe for protecting your corporate data and networks, according to our eighth annual Global Information Security Survey.

“There’s a real sense of tension in this year’s numbers; a sense that with the change in the economy there’s been a resetting of expectations,” said Mark Lobel, a principal in the advisory services division of PricewaterhouseCoopers, which conducted the study on behalf of CIO and CSO magazine, a sister publication.

Of the 12,847 business and technology executives surveyed worldwide, 67 percent place a priority on security procedures that help your organization minimize risk. But you realize you must make do with more targeted spending on technology and bring in outside security expertise to manage what your IT staff can’t. Here’s why:

You want to embrace cloud computing because it makes your IT operations leaner and less expensive. But your understanding of cloud security hasn’t advanced much in the last year. You have to be cautious.

Your customers want to spend their money online and use more fancy apps to do it—and on mobile devices, too. So you have to guard against vulnerabilities attackers can exploit to steal your customers’ private data and other core assets. What’s more, government and industry regulations often require such protections. Meanwhile, increasingly complex business relationships are forcing you to give outsiders greater access to your internal systems. You need protection from an attack against a business partner that might spill over to your network.

The financial meltdown two years ago may have stalled some of your security initiatives, but 56 percent of you said increasing risks have elevated the role and importance of security at your company. There’s no turning back from what you’ve started.

Caution in the Cloud

Sixty-two percent of you have little to no confidence in your ability to secure any assets that you put in the cloud. Even among the 49 percent of respondents who have ventured into cloud computing, more than a third (39 percent) have major qualms about security.

Asked what they think is the greatest risk to their cloud computing strategy, respondents said they were uncertain about their ability to enforce security policies at a provider site, and were concerned about inadequate training and IT auditing.

James Pu, CIO for the Los Angeles County Employees Retirement Association (Lacera), is among the skeptics. He says he loves the flexibility and agility cloud computing could provide, but he’s wary of the inherent availability and security risks.

“As good as it is today, you don’t have the same reliability as you have with a local-area network,” says Pu, who does double duty as Lacera’s information security officer. “I also worry about the third parties involved.” Cloud vendors, he notes, use third parties to host data centers and hardware. And those hosts may hire people without doing necessary background screening. “When data goes into the cloud,” Pu says, “all it takes is a software bug to accidentally reveal my data.”

Larry Bonfante, CIO of the United States Tennis Association (USTA), on the other hand, is among those IT leaders who are cautiously moving to the cloud. From a security standpoint, his greatest concern is protecting consumer data—a tall order given that, for example, approximately 80 percent of tickets for U.S. Open matches are purchased online. He isn’t ready to let those transactions happen in the cloud yet because he is not convinced that all the technological pieces are in place to do it securely. But he feels differently about his back-end financial and reporting systems.

He’s moved all internal back-end systems to the Amazon Web Services platform, believing that Amazon’s security resources will supplement those of his own organization. Bonfante says the benefits include lower costs and fewer servers for his IT staff to baby-sit, which has allowed him to deploy new solutions more quickly. He says the cloud has also reduced the USTA’s carbon footprint: Less on-site hardware means less energy is used to power the IT shop.

Before cloud computing can become universally accepted as a secure option, a few things have to happen, says Ken Pfeil, CSO for a large mutual fund company in the Boston area and formerly CSO for financial companies Capital IQ and Miradiant. (Pfeil spoke for himself and asked that his current company not be named).

First, he says, security experts must come up with more specific guidelines for which kinds of data are acceptable to store in the cloud, be it customer information or intellectual property. He also wants clarification from regulatory agencies such as the Securities and Exchange Commission as to how financial reporting controls should work in the cloud.

He’s not satisfied that those questions have been answered, especially when it comes to the kinds of financial data that can go to the cloud. Therefore, his company is avoiding it for now.

Keeping Tabs on Business Partners

You still have a choice as to whether to trust cloud vendors to manage your data. Your relationship with business partners is more complicated.

Survey respondents are somewhat more concerned than they were last year that their own security is threatened because the security of business partners and suppliers had been shaken by the recession. More than three-fourths (77 percent) of respondents agreed that their partners and suppliers had been weakened by the recession, up from 67 percent a year ago.

“Companies are increasingly dependent on third parties whether they like it or not, and those partners need access to your IT infrastructure and your data,” Lobel says. “That’s tough when times are good and scary when times are bad.” Facing their own business problems, third parties need to cut costs just like you do, and they may slash security controls in the process, he says.

Josh Jewett, senior vice president and CIO for Family Dollar, says the company has taken steps to ensure business partners don’t compromise its security. “We hold third parties accountable not only contractually, but also operationally,” he says. “They must demonstrate they meet the same security standards we have internally.”

Family Dollar’s partners are also subject to periodic scrutiny by the company or an independent auditor. If their practices jeopardize the company’s data or business continuity, it has the contractual right to terminate the relationship.

Similarly, Lacera’s Pu, who is also a certified IT auditor, borrows a tactic President Ronald Reagan used to enforce nuclear arms treaties with the former Soviet Union: Trust but verify. “Third parties are often required to put their security procedures on paper, but there is never the follow-up to verify. We check up on them,” Pu says. “We ask vendors a lot of questions and we limit what they can access. When they come in, we make sure they are escorted.” What’s more, business partners aren’t allowed to connect computers to Lacera’s networks without using approved security measures, and they must abide by clear rules governing how data can be used.

If any data or applications are not relevant to a business need, partners don’t get access to it. The data or application must be directly tied into whatever initiative—such as an event—the two sides are working on together, Pu says.

Bonfante feels much the same way about giving business partners access to his systems. Financial applications are locked down. Partners also can’t access parts of the network where customer data is housed. Under those conditions, he feels pretty safe about sharing other parts of the network.

“There’s always some concern, but we work with our partners to ensure things like encryption and password protection” are used, he says, adding that data flowing between USTA and its partners is encrypted. That way, it’s indecipherable and therefore useless to a rogue outsider who tries to access it.

Pfeil says that to ensure secure business partnerships, companies need to get security personnel involved before business leaders choose who will provide third-party services. Security experts will eye potential partners’ security controls more carefully than, say, the events and marketing people who identify and pursue these partners. Security practitioners are also more likely to insist that partners give each other a detailed tour of their security operations.

Like Jewett, Pfeil is a stickler for cut-and-dried contract terms. “Security must be in the language. How will authentication be handled? How will data be handled in motion and at rest? Which side is responsible for which controls? You must answer all these questions,” he says.

In Outsourcers We Trust

Companies may put business partners’ security under scrutiny, but many IT and business leaders acknowledge they can’t always keep that information secure internally—at least not without help from outside experts.

More than half (52 percent) of survey respondents said that outsourcers, also known as managed security service providers (MSSPs), are important or very important to accomplishing their security objectives. Another 19 percent said outsourcers play some role. Meanwhile, more than 30 percent cited outsourcing of some or all security functions, such as e-mail filtering and management of application firewalls, as a top priority in the next 12 months, up from 18 percent a year ago.

While these numbers don’t represent a tidal wave of change since last year, Lobel says they do signal a shifting of the winds.

The greater interest in outsourcing “is an outcome of the cut in IT services,” he says. For example, companies are no longer as willing to pay someone in-house to monitor security operations overnight when a vendor can do it for less. “The cost of doing a bad job in-house is cheaper than what vendors will charge you, but the cost of doing security really well in-house is more expensive than what vendors will charge,” Lobel says.

Companies realize it’s better to put security in the hands of those who are immersed in it, says Warren Axelrod, a former CSO and author of the book Outsourcing Information Security. “If you need surgery, you would rather go to a surgeon who does five of these procedures a day instead of one a month.”

More than 30 percent of survey respondents are making outsourcing an important priority so they can establish security safeguards that aren’t currently in place, including functions such as e-mail filtering and penetration testing. Meanwhile, 60 percent said they already outsource the secure disposal of technology hardware and 59 percent said they’ve delegated administration of password resets. In the areas of strategy and standards, 32 percent said they have outsiders helping them establish security baselines for external partners, suppliers and other IT vendors. Twenty-four percent outsource their centralized security information-management procedures.

Family Dollar’s Jewett says his company has hired a variety of service providers to execute and audit portions of its security program. He declined to go into detail about which items he outsources and why, but he says the company bases such decisions on the following criteria: its own assessment of internal skills and resources, the relative cost of outsourcing versus keeping the work in house, the need for segregation of duties, and risk assessments.

Without a dedicated IT security team at USTA (the function is among the responsibilities of its director of technology and operations), Bonfante relies on MSSPs to handle such tasks as Web monitoring and filtering, e-mail scanning and storage surveillance. He expects to outsource additional security functions in the coming year, though he’s not ready to outline specifics.

Pfeil says successful information-security outsourcing depends on CIOs understanding the vendor’s expertise. Failing to scrutinize a vendor’s specialties is an obvious, yet common, mistake. “Companies have to carefully review the specialty areas and also take the time to investigate the track record of a company they’re thinking of going with,” he says. Not every MSSP handles every type of security need. Just because a provider has a big name doesn’t mean it’s the best fit for your company, he cautions.

Once you do hire an outsourcer, it’s important to establish service-level agreements (SLAs) that define, for example, the number of incidents per month the MSSP needs to be able to spot and a game plan for dealing with these incidents. One provision Pfeil requires in any SLA is timetables dictating when the MSSP must notify the company of suspicious activity.

“We need to be notified within 10 minutes of this type of event, four hours for that kind of event,” Pfeil says. You also need meaningful penalties associated with failure to meet the deadlines, he adds. “If we see you not meeting agreements, I don’t pay my bill.”

The Way Forward

Our survey shows that despite the recent economic conditions, companies aren’t making drastic cutbacks in security. In fact, most of you neither cut nor deferred security expenditures. Looking ahead, 52 percent expect security spending to increase at least 10 percent in the next year; 9 percent plan to increase their spending by more than 30 percent.

Lobel notes that projected spending increases are never a given. Companies may approve a budget but wait until the last minute to free up the money because of continued economic uncertainty. But he expects to see a continuing increase in demand for better security as companies feel the pressure of regulatory compliance just as they offer more services online.

“There is pent-up demand for investments in things like application and mobile security,” Lobel says. “When they green-light the actual spending, you’ll see things really take off.”

When that happens, global IT security will take another step forward.

How We Got the Numbers

By Research Manager Carolyn Johnson

The Global Information Security Survey, a worldwide study by CIO, CSO and PricewaterhouseCoopers, was conducted online from February 19 to April 30, 2010. CIO and CSO print and online readers and clients of PricewaterhouseCoopers from around the globe were invited to take the survey. Results are based on responses from 12,847 security and IT professionals from more than 100 countries. The most respondents—37 percent—were from Asia, followed by Europe (30 percent), North America (17 percent), South America (14 percent) and the Middle East and South Africa (2 percent).

Follow Senior Editor Bill Brenner on Twitter: @BillBrenner70.