practical risk management

Seven steps to managing IT Risk

noreply@blogger.com (Ryan Shopp) — Mon, 21 Jul 2008 21:34:00 +0000

Came across this overview read from a Gartner research note recently. It lays out seven recommended steps managing risk.

Implement a framework for risk assessment and mapping.
Establish the responsibilities of risk managers with their areas of responsibility.
Identify and define the risks to which the business is exposed and what constitutes a risk event or "near miss" so that incidents can be mapped to specific risks.
Determine the threat level, and focus on those risks with the highest impact on performance.
Establish levels of controls for processes commensurate with the perceived threat.
Record and retain risk incident and near-miss information.
Conduct periodic risk assessments to determine changes in the operations risk profile and assess control performance.

Great advice. These seven steps are precisely what IT-GRC solutions should help an Enterprise accomplish. They provide the construct (aka think configuration wizard) for establishing and maintaining a quality risk management program. If you have on your company priority list advancing the the risk mitigation/management capabilities or if you've recently been burned, take the time and check out some of our new product demonstration videos. We strive to be transparent around what we offer with our software. That's why our marketing isn't really "marketing" it's live product in action. Come check it out.

So now everyone is an IT GRC vendor

noreply@blogger.com (Ryan Shopp) — Sat, 31 May 2008 21:35:00 +0000

As a marketeer for a technology company, you work really hard to tease out the key points of differentiation and attempt to coin a segment that defines your being. IT-GRC (short for Information Technology Governance, Risk & Compliance) is a term that started gaining momentum about a year ago. At that time Gartner, Forrester, EMA and other research analyst firms started using it to describe exactly what Securityworks does. Next thing you know customers are achieving tangible results from these solutions and the press begins writing articles about it.

Then, along comes tangential segments that do 20-30% of what we do...now all of a sudden they are "IT-GRC" vendors since it's the new "hot" term.

Well, after all that hard work I have to simply say I love the candid article from Alex Handy over at Systems Management News. A couple quotes that say it perfectly...

When Jonathan Penn, research director at Forrester, walked around April's RSA conference, he was appalled by what he saw. “The vendors are destroying what's a very useful approach by claiming for themselves. If you're not an ITGRC vendor, just shut up,” said Penn.

“ITGRC is an incredibly valuable approach to security,” said Penn. “What I like about it is it's a good way to structure what IT does. But it's much more a practice than a product. The tools that manage things at a high level, those are the ITGRC products.”

We completely agree. No single product can encompass IT-GRC. Our product is a good foundation but what's so very important is the people, process and technology that mold around our product. This includes the integration points with other security products into a unified view of your overall security program, not those product calling themselves IT-GRC.

Evolution of IT Security to Risk; driving IT GRC acceptance?

noreply@blogger.com (Ryan Shopp) — Thu, 24 Apr 2008 21:32:00 +0000

Great summary by Michael Rasmussen of Corporate Integrity on the 2008 State of the GRC market was posted earlier this month.

I believe the title of one of the sections itself summarizes one of the biggest benefits of GRC, "GRC is About Organization Collaboration." He is 100% correct from my perspective - independent of the people, technology and process - GRC solutions are about using software automation to help enterprises collaborate to reduce their exposure to the big three buzz areas each of those letters in the acronym represent (Governance, Risk, Compliance).

Now, GRC solutions can't and won't solve these problems alone. They are part of an overall ecosystems of technical control products, best practice processes and people communication/expertise. You still need your Vulnerability, SIEM, IDS/IPS, Firewalls and other security products. You still need your COBIT, ISO, ITIL and other best practice processes. And of course, you still need the people who should know the overall business goals and priorities and then apply their expertise on how IT can help achieve those goals. GRC as mentioned before is the organization collaboration construct that can successfully bring all these complex areas together into a tight and cohesive Governance, Risk and Compliance strategy.

Another article I came across starts to highlight how some organizations are starting to elevate beyond operational security to strategic risk centric in culture. Tim Wilson over at Dark Reading just put out this great write-up yesterday titled; Market's Message to Security Pros: Adapt or Die.

-snip-
"...the question now is not how precarious the security manager's job is, but what it may evolve into, Schmidt observed. "As it becomes more about risk, security is not necessarily an IT problem. More and more, you see companies creating positions such as chief risk officer, who may report to a chief operating officer, and in some cases, the CSO might report to the [risk officer]."
-snip-

This trend points directly at GRC solutions that can provide the common construct to help all aspects of the organization collaborate. A decent analogy may be what ERP was to the CFO, GRC is to the CRO.

One last article that also points towards the trend around moving operational security tasks back into IT operations and thus security analysts evolving into internal Risk Consultants to the IT organization would be this blog from Trent Henry over at Burton Group. Once these "Risk Consultants" are created, GRC provides the collaborative platform to conduct their more strategic initiatives mentioned; policy, risk & compliance monitoring, assessment program development, etc.

Circumventing Enterprise Security Policies

noreply@blogger.com (Ryan Shopp) — Tue, 08 Apr 2008 18:41:00 +0000

Interesting article on how employees are circumventing IT Security Department policies.

This of course as we know exposes the company to IT GRC concerns (Governance, Risk & Compliance). A couple hard numbers that jumped out at me.

"80 percent of the enterprises are supporting proxy applications, such as KProxy or CGI proxies, which mask the user's identity and surfing habits from IT monitoring tools."

:...half of the enterprises studied by Palo Alto are supporting Tor or other methods for encrypted "tunneling" through the corporate network. Tunneling enables the user to bypass IT traffic enforcement mechanisms."

A comprehensive security policy starts from the top down with an IT-GRC solution. It then incorporates all the scoring, controls and assessment automation products into a unified view to help expose situations like those identified in this study. Once exposed and the risks understood, the priorities can be set to help quickly resolve these issues.

Nice GRC write-up and how it relates to log management initiatives

noreply@blogger.com (Ryan Shopp) — Mon, 24 Mar 2008 13:34:00 +0000

Anton wrote a nice piece, called "Unified GRC: Replacing a piecemeal response to compliance" for SC Magazine defining GRC and how it fits together with other areas of security and prevention management. The article, as expected, has a major slant toward Log Management, but it is a very good summary that also highlights other key capabilities / areas important to GRC.

Even though most security vendors are marketing IT Risk Management, many customers are beginning to realize there is this new breed of software products that compliments your vulnerability, log, configuration security solutions. These IT GRC products normalize all the various regulatory or standardization controls into a common framework and then pull scores/results/data from these products into that model to go along-side data gathered from controls that can't be instrumented with software (e.g., people, processes, procedures, physical). As mentioned in previous posts, without this other side of the coin you're not getting a complete picture of risk/compliance/governance.

So if you you've already made investments in these other products but need something to pull them together into a unified view and are looking to get the complete picture, come check out IT GRC.

IT GRC is the next evolution for the Enterprise Security Organization

noreply@blogger.com (Ryan Shopp) — Mon, 17 Mar 2008 15:35:00 +0000

Great write-up and perspectives from the GRC guru, Michael Rasmussen; What is IT GRC?

-snip-
Interestingly enough, I was at an event last week of a dozen senior IT executives and we discussed this concept of IT-GRC. These were all Fortune 500 firms. Going around the room each was spending on average 5-6% of their IT budget this year on IT-GRC. A few were lower than this in the 2-3% range while one, who was significantly working on their IT-GRC strategy, was spending about 12% of their IT budget on IT-GRC.
-/snip-

Bottom line, the solutions in the IT-GRC space continue to mature and evolve, BUT the truth is - they can and will help save Fortune 500 IT Security organizations money through automation today! There is no reason a Fortune 500 company should be spending this much of their IT budget on IT-GRC when these products today significantly reduce the amount of manual labor (consultants) performing these governance, risk & compliance duties.

Great tutorial on Information Security Program Metrics

noreply@blogger.com (Ryan Shopp) — Mon, 10 Mar 2008 13:37:00 +0000

While reading a blog posting this morning I came across a great set of slides called "Measuring Security."

Slide 15 nails what are the questions security programs should answer on the head...
How secure am I?
Am I better off than this time last year?
Am I spending the right amount of money?
How do I compare to my peers?
What risk transfer options do I have?

Slide 36 has a great quote on "Risk Management"
The essence of risk management lies in maximizing the areas where we have some control over the outcome, while minimizing the areas where we have absolutely no control over the outcomes and the linkage between effect and cause is hidden from us.

The next 300 slides is a ton of background detail...overkill until your really ready to dig in. I would simply recommend for now jumping to slide 402 to get to the punchline; here are some of the recommended metrics:

• Cost of security per transaction
• DoS and other attack downtimes
• Data flow per transaction & per source
• Budget correlation with risk measures
• Comparison with like firms
• Percentage of critical systems under DR plan
• Percentage of systems obeying ______ policy
• MTBF & MTTR for security incidents
• Number of security team consultations
• Latency to obey ______ change orders
• Percentage of job reviews involving security
• Percentage of security workers with training
• Ratio of b.u. security staff to central staff
• New system timely security consultations
• Percentage of programs with budgeted security
• Percentage of SLAs with security standards
• Percentage of tested external-facing applications
• Number of non-employees with access
• Percentage of data secure-by-default
• Percentage of customer data outside data center

Where all this detail is extremely important, the beautiful thing about what Securityworks offers is it has built a method to normalize any/all metrics into a single score. Think of it as your grade point average where you then have the ability to drill-down from the top and see how your doing for each subject, on each test, homework assignment, etc.

Going beyond technical security controls

noreply@blogger.com (Ryan Shopp) — Mon, 03 Mar 2008 13:51:00 +0000

Anton last week had this great write-up in ComputerWorld, "Five Basic Mistakes of Security Policy," that hits the 5 basics that so many busy executives look past when leading a security organization.

Not having a policy
Not updating the policy
Not tracking compliance with the policy
Having a "tech only" policy
Having a large, unwieldy policy

One of the biggest we see every day is #4. Most enterprises have some policy in place that they update (typically annually before a pending audit). Their current compliance tracking is provided by one or more software products that unfortunately don't have the full picture.

The reason why comes down to #4. Traditionally, enterprises have thrown either a vulnerability scanner, security event/log manager or another security software application at a list of IP addressable assets...generate a few reports...and hope they have things covered.

The truth be told, this misses so much of the full picture (over 50% per previous blog posts) that even the internal or external auditors don't have enough time to do a comprehensive review. The goal of those auditors is not a "witch hunt," it's suppose to be to protect the company! So what happens is each year, things get more and more detailed (which is good) as findings from the prior year are addressed allowing them to "peel the onion" back another layer.

This is why we are seeing the emergence of the IT GRC market that compliments and extends these products you point at IP addressable assets. These solutions use automation techniques to assess security controls around things that are not IP addressable (e.g., people, processes, facilities). The other need these products are offering is a normalized, unified view of the entire security program. Leveraging scoring from other products, they finally deliver the possibility of 100% visibility into the posture of your entire IT security, risk or compliance program.

Top 3 conclusions about IT Risk Management we like hearing

noreply@blogger.com (Ryan Shopp) — Mon, 25 Feb 2008 14:28:00 +0000

I read a nice summary of a recent Symantec 40 page survey on IT Risk Management and felt compelled to share the links and highlights that jump out. Symantec was recently noted as a leader in IT-GRC per this Gartner report.

The summary I read was posted by John Edwards over at ITSecurity.com.

Here are the conclusions that grabbed our eye:

Businesses would be far better served if they viewed security as an IT risk management element that can be addressed alongside other critical elements, such as availability, performance and compliance.
Technology alone can't mitigate IT risk. While technology plays a critical role in IT risk mitigation, balanced controls and frameworks are also necessary in order to provide complete risk management capabilities.
Management should consider implementing a continuous risk assessment process.

PCI Compliance not going away - 42% not compliant

noreply@blogger.com (Ryan Shopp) — Wed, 20 Feb 2008 14:57:00 +0000

My inbox, like yours, is filled with numerous advertisements and spam on a daily basis, but this one actually grabbed my attention! It started out by saying;

"according to VISA, 42% of large and medium-sized US merchants did not reach their respective PCI compliance deadlines. The penalty of non-compliance is merchants incur monthly fines (up to $25,000) until they meet and sustain data security compliance requirements."

Now that is some attention grabbing marketing and I plan to be on that virtual seminar.

Almost half (and that's not a stacked number including small US merchants) is a very surprising number. I looked around trying to find information behind the survey results but to no avail, so I'll be listening on the call for some details and facts to back it up. Being that our IT GRC solution helps ensure that an enterprise is completely compliant with any regulation, I would like to hear what the top 2 or 3 reasons are they aren't yet compliant to see if they map up to what we are hearing.

Gartner IT GRC Predictions

noreply@blogger.com (Ryan Shopp) — Wed, 13 Feb 2008 17:30:00 +0000

I just had a chance to take a look at some recent research put out by Gartner on the IT Governance, Risk & Compliance Management space (IT-GRC).

They do an artful job laying out the customer desired capabilities and scoping the size of the market opportunity.

A couple key points to soak in:

IT GRCM products provide functions that address needs expressed by 75% of the Gartner client base.
Gartner estimates that software license revenue for vendors...was $73million for 2007, and we project a growth rate of 70% for 2008.

This reinforces previous posts with hard numbers that 2008 is indeed the year of IT Risk Managment. Here are links to those previous posts...

I highly recommend heading up to Gartner's website and reading each report;

Then come take a look at how Securityworks can help solve your IT-GRC needs by accomplishing those defined needs and capabilities.

What is GRC vs. IT GRC - How does it help IT Security mature to the next level?

noreply@blogger.com (Ryan Shopp) — Mon, 04 Feb 2008 13:27:00 +0000

AMR Research shows that total GRC spending approached $30B last year. The technology portion (e.g., software, hardware & integration services) of that spending is around a third of it (approximately $10B).

GRC is a very broadly defined space - very broad! To gain a better understanding and appreciation for that, here is a newly released map that identifies various areas and their relationships.

Another AMR Research note talks about the current maturity point of Enterprises implementing GRC.

So where does Securityworks play in this "GRC Ecosystem?" We are coming at it through the eyes of an IT Security Executive.

Our goal - How can we make the IT audit process more efficient and less frustrating for the IT security organization? When you look back at the model above we fit in the area called "IT GRC" which leverages/compliments current IT security management investments (e.g., vulnerability scanning, configuration policy management, SIEM) to accomplish this. If your enterprise already leverages these products then its ready for the next step in the maturity curve, which is IT GRC. Just to get an idea of some the unique capabilities that extend your current IT Security investments please check out our newly posted product demos. Live product in action, no sign-up requirements, etc. Just pure knowledge.

Compliance costs not slowing down - technology automation to the rescue

noreply@blogger.com (Ryan Shopp) — Mon, 28 Jan 2008 13:34:00 +0000

Deloitte - Navigating the Compliance Labyrinth offers some great tidbits from recent surveying of financial executives.

Compliance continues to increase - from 2.83% of net income in 2002 to 3.69% of net income in 2006.
Primary costs continue to be driven through applying people, not technology to the problem.
and the kicker from our perspective, measuring compliance performance remains largely a qualitative rather than a quantitative process. Only 55% of financial institutions reported using quantitative metrics, implying a limited application of process management tools and methodology.

Forget the name of the segment (e.g., GRC, IT-GRC, ERM, VM). The bottom line is taking a process management based approach with technology. Commercial solutions (not home grown) that offer enterprises the opportunity to leverage technology automation to reduce people doing mundane/manual tasks producing the result of reduced compliance costs!

Another security breach, but this one is different...

noreply@blogger.com (Ryan Shopp) — Mon, 21 Jan 2008 13:51:00 +0000

Late last week I saw the news around local JC Penney's hit the wire - "Data of 650,000 customers at risk." Now this situation appears completely different then TJX. The data, and I assume the protection of that data, were outsourced.

So this begs the question - should it be a requirement for vendors providing services to enterprises that would include sensitive data be certified against ISO 27001?

Here is a great write-up, case study I came across of a vendor doing this. Just like we expect vendors to achieve specific Service Level Agreements on availability, performance...shouldn't we be doing the same things around security and risk?

So much to read, so little time - Top Information Security Risks for 2008

noreply@blogger.com (Ryan Shopp) — Wed, 16 Jan 2008 13:32:00 +0000

Now this is impressive! It's going to take a while to read the supporting reference documents, but this summary is gold and from my perspective a must read for IT Risk Management.

In the primary summary document, "Top Information Security Risks for 2008" we get an impressive laundry list of threats & vulnerabilities, their impacts, the risk and the controls. Page 5 talks of specific risks, some can be addressed with various technical control product on the market, example: #2 - Information Leakage. If you want to get down and dirty understanding these products spend some time with Rich over at securosis, specifically his blog entries and the summary which formed this white paper around understanding & selecting DLP solutions.

This section also highlights non-technical controls, audits etc in #5: "poor information security studies, risk assessments, projects/assignments and/or staffing/organization, causing failed, wasted, excessive or otherwise inadequate controls and practices selection, implementation, performance measurement, monitoring and/or auditing." Wow, that's a mouthful! But this is exactly what IT GRC is all about. Through using these software platforms you can evolve from poor, ad-hoc attempts at mitigating this risk while ensuring your enterprise takes a comprehensive, top-down look at any and all potential risks and assess their potential impact. If you then go down to #1 in the controls section of the document you will see what in my eyes is basically an advertisement for an IT GRC solutions and the process around deploying it, "investment in a good and systematic ISMS (Information Security Management System) incorporating high quality information assurance processes..."

A key statement back in #5 of risks that I was surprised to see was the calling out of "excessive" controls. This is something we at Securityworks (especially Bryan) are passionate about. Some vendors in the IT GRC space believe in throwing the entire "book of controls" at it, and you will be fine...we believe its about making sure you have quality controls in place, not simply quantity. Bryan has talked about this previously.

2008 - The Year of IT Risk Management, Part 3 - More and more GRC oriented predictions!

noreply@blogger.com (Ryan Shopp) — Tue, 15 Jan 2008 13:19:00 +0000

I keep thinking I'm going to be able to move onto other topics related to IT Risk & Compliance management but it's hard to when my blog reader keeps popping up more and more articles and postings which talk about 2008 predictions and how GRC and IT GRC are going to be the "in thing" this year for IT Security groups.

IT & Compliance: 5 Big Predictions for 2008 hightlights "...Managerial evolutions, such as process-centric IT and better application of risk-management principles to information security management, will help companies refine and streamline IT governance and compliance."

The post continues on later with two of the five predictions hitting on capabilities or features of IT GRC products.

2008 - The Year of IT Risk Management, Part 2 - Rise of IT GRC

noreply@blogger.com (Ryan Shopp) — Fri, 11 Jan 2008 12:43:00 +0000

The customer success stories, industry partnerships, market predictions, etc. drumbeat for IT Governance, Risk and Compliance Management (IT GRC) continues to get louder and louder. Just caught this article over on TechTarget "Security Management 2008 - What's in Store." About halfway through Mike highlights the GRC space.

-snip-
Hopefully, security professionals will finally come to grips with the discipline that is preparing for an audit, which will result in an opportunity for vendors that provide so-called GRC products -- glorified reporting and workflow packages meant to automate the compliance process. These products allegedly automate the data gathering and reporting processes, so managers don't have to spend days (or weeks) preparing for the audits. Clearly that is a problem for security professionals that should be doing something more productive than preparing for an audit. It pains me to think that we'll need to implement yet another point product to solve a problem, but it is what it is.
-snip-

Even though skeptical, I'll take that as an endorsement for GRC in 2008! Mike give us a shout if you would like a demo, discussion and even an introduction to talk to customers using it.

2007 was a great year of education on the value of IT GRC and we hope/expect 2008 to be where customer implementations of this security automation take off! The ROI and team efficiency gains are tremendous, it also reduces the headaches and frustrations security team members get when having to prepare for audits.

Oh yeah, here is part one of this blog title "2008 - The Year of IT Risk Management" just in case you missed it.

How aware are your employees on IT security and risk policies?

noreply@blogger.com (Ryan Shopp) — Tue, 08 Jan 2008 18:50:00 +0000

Nice read that highlights 10 area of risk that should be in focus for 2008. One that really jumped out which we are starting to hear more about here in the IT-GRC space is awareness and training of employees on security and risk situation.

-snip-
Employee and Customer Awareness It’s something everyone intends to do – better educate their employees and customers about the security threats that are facing institutions and customers. Now with the ID Theft Red Flags, it’s also been pushed to the top of the compliance list. Institutions by Nov. 1 must have a written program showing how they are educating their employees and customers about identity theft.

American Banker Association’s Doug Johnson, senior policy advisor for the largest industry association, lists this as one of the top risk management issues for 2008.”Increasing your institution’s security awareness pays off in several ways -- employees learn how to protect the data they’re working with, and their awareness reduces the threat of the insider threat (either malicious or unintentional),” says Johnson. Many times the malicious insider can be stopped, if the people working with them are trained and are aware of the red flags that show the work habits and behaviors of a malicious insider. Do your employees know what to look for, what indicators there are that an insider is doing something on your networks or to your institution’s data?
-snip-

A new thing to many that was mention in here was "ID Red Flags." Federal ID Red Flags are suppose to be in place by November 1, 2008 (about 10 months from now). These rules (announced in November) implement section 114 and 315 of the Fair and Accurate Credit Transactions Act (FACTA) of 2003. Basically, each financial institution’s Identity Theft Prevention Program must include reasonable policies and procedures for detecting, preventing and mitigating identity theft.

Part of this process is prevention. One of the best ways to prevent something is through education. By having automated capabilities that require each employee to read what is expected of them in helping prevent Identity Theft. IT-GRC automation can help with this in automating this policy dissemination and acceptance tracking for owners of any company IT resource that may contain consumer identity information (e.g., from server owners, to laptop owners and beyond).

2008 - The Year of IT Risk Management?

noreply@blogger.com (Ryan Shopp) — Fri, 04 Jan 2008 13:23:00 +0000

I've been busy over the holidays enjoying everyones blogs and articles recapping 2007 and making predictions for 2008. Among other things highlighted in those articles, a common point pertains to Securityworks around "true" IT Risk Management (what I mean by "true" is the message is coming from companies who didn't adjust their marketing to be en vogue - e.g., SIEM products or Vulnerability Assessment products).

Before IT Risk Management was "cool" Securityworks has been out their working away on it (for over 4 years now).

One of my favorites that highlights this prediction for 2008 is over at Rational Survivability.

-snip-

Compliance stops being a dirty word & Risk Management moves beyond buzzword
Today we typically see the role of information security described as blocking and tackling; focused on managing threats and vulnerabilities balanced against the need to be "compliant" to some arbitrary set of internal and external policies. In many people's assessment then, compliance equals security. This is an inaccurate and unfortunate misunderstanding.

In 2008, we'll see many of the functions of security -- administrative, policy and operational -- become much more visible and transparent to the business and we'll see a renewed effort placed on compliance within the scope of managing risk because the former is actually a by-product of a well-executed risk management strategy.

We have compliance as an industry today because we manage technology threats and vulnerabilities and don't manage risk. Compliance is actually nothing more than a way of forcing transparency and plugging a gap between the two. For most, it's the best they've got.

What's traditionally preventing the transition from threat/vulnerability management to risk management is the principal focus on technology with a lack of a good risk assessment framework and thus a lack of understanding of business impact.

The availability of mature risk assessment frameworks (OCTAVE, FAIR, etc.) combined with the maturity of IT and governance frameworks (CoBIT, ITIL) and the readiness of the business and IT/Security cultures to accept risk management as a language and actionset with which they need to be conversant will yield huge benefits this year.

-snip-

Well said (but then again I'm biased)!

IT Risk Management vs. Information Security survey

noreply@blogger.com (Ryan Shopp) — Fri, 28 Dec 2007 15:21:00 +0000

I was playing catch-up on blog reading and came across this interesting post by a favorite blogging colleague of mine, Anton Chuvakin, "Review of my 2007 Security Prediction: Too Wimpy."

Prediction #4 about Risk Management lead to some very intriguing survey results. Here is a copy of the graphic from those results which says it all...

A personal point I can add here is this actually makes some sense to me.

Here at Securityworks we are 100% focused on talking IT Risk Management. When I talk with customers they are usually talking (strategic = risk) vs. (tactical = security). Another thing to realize is IT risk encompasses more then technical control monitoring/management solutions (that is only 50% of the scope as discussed in my previous post). IT Risk also spans people & processes (e.g., non-technical controls). Since that typically requires getting into process improvement it is naturally discussed as a strategic initiative due to the time/effort associated with it.

So now with 2007 ending and looking ahead to 2008 we should be trying to use this opportunity to be more strategic before tactical day-to-day tasks re-consume us. IT-GRC solutions (which Gartner, Forrester, etc are calling these solution) help you do this! So go ahead, take a look...this is going to be a hot area for 2008 based on what I'm seeing and hearing for a variety of reasons.

Healthcare Best Practices Security Framework

noreply@blogger.com (Ryan Shopp) — Thu, 27 Dec 2007 17:37:00 +0000

We are excited to see this announcement about the formation of HITRUST (Health Information Trust Alliance). A health care vertical specific initiative around establishing and collaborating on information security best practices. Why are we excited, our solution (along with other IT-GRC solutions) are specifically designed to enable a major enterprises to consolidate, centralize and simply organize from the top-down their Information Security Framework in an actionable, track-able way.

Is Security about improving the operational efficiency of IT?

noreply@blogger.com (Ryan Shopp) — Thu, 20 Dec 2007 12:40:00 +0000

Just had the chance to check out Ernst & Young's 10th Annual Global Information Security Survey: Achieving a Balance of Risk & Performance. It's a very details document that has a ton of great information. What caught my eye this morning was the answers to the question:

What is driving information security?

Compliance with regulations
Privacy and data protection
Improving IT and operational efficiency

The first two didn't really surprise me, but I found this last one really interesting. After re-reading that section of the survey I found myself re-phrasing it a little into "Improving the operational efficiency of IT." Hmmm, another independent point back to something I was pondering the other day .

These days I'm personally more focused on the vendor side of software product life cycles (e.g., design, implement, test, , feedback). With that said, this smells very similar to the role a Quality Assurance/Testing organization plays to the Development organization. While R&D is focused on understanding what needs to be built and attempting to delivering that capability ASAP, QA is always helping or sometime battling R&D with finding problems/issues/exposure points etc.

The role of security, just like QA, is not to hinder their operational/development counterparts, but to help mitigate exposure/risk in a proactive way. Bottom line, it's been my experience that it's better to find a problem early then late (major cost savings, greater customer satisfaction, etc).

I may be out in left field here but I'm simply pondering out loud the placement and priority given to Security/Risk/Compliance Management versus the overall purpose of the business.

Take a look at the survey and please throw down in the comments what you found interesting.

Is IT Risk Management the Union of IT Security & IT Operations?

noreply@blogger.com (Ryan Shopp) — Tue, 18 Dec 2007 13:32:00 +0000

This morning I read this statement from PCI Expert James Deluccia IV and it struck a cord...

-snip-
The best risk management initiatives don't simply protect data, they help the company to run more effectively," he said. "This is the case when equal consideration is given to areas like system continuity and service delivery that support operational measures. It's the blending of business necessity with core methods for data security that ensures overall risk management."
-snip-

Over the last couple years I've read and heard about the pending convergence of Security & Operations Management but we still haven't really seen it occur. With more and more attention being given to Risk, maybe it's right around the corner.

After reading this snip it reminded be of emphasis applied to programs/organizations embracing TQM or other re-engineering practices back in mid-1990's. Security and Operations Managment are rooted in tactically solving pains; Operations focuses on keeping IT resources up and running while Security focuses on protecting those IT resources. Those two ideals, time to time, come into conflict. By taking a business goals driven, "quality-oriented" look at IT fromthe top-down we may find a union between Operations & Security.

The snip was found in article "PCI Expert James DeLuccia IV Suggests Retailers Address Both Sides of Risk Management - Security and Business Availability"

Users continue to ignore security policies, while security organizations are overlooking non-technical controls

noreply@blogger.com (Ryan Shopp) — Thu, 13 Dec 2007 12:37:00 +0000

IT Compliance Institute had an article posted this morning that reinforces the point; "it's not the software/hardware/infrastructure/etc but the people and processes that expose the biggest risks to a company.

The article doesn't reveal who/where the survey was taken but it does highlight some key security items that people usually cut corners on.

Fifty-six percent said they had accessed office e-mail via a public wireless hotspot
52 percent said they had accessed office e-mail via a public computer.
Eight percent admitted to having lost a mobile device containing corporate information.
Sixty-three percent admitted to sending corporate documents to their personal e-mail addresses so they could work at home.

There are security technologies out their (e.g., encryption, data leakage) that can help with each item but the challenge is keeping up with other IT technologies being deployed and business demands/challenges the users are trying to productively solve. Bottom line, you can't bypass making sure you have the right policies, procedures and education in place for your users (aka non-technical controls).

After reading this I decided to do some searching around for some type of survey numbers around technical vs. non-technical controls. I didn't see much out there but did come across this ("Is Information Security Under Control') from IEEE Computer Society published in early 2007.

The survey focused in on 80 of the highest quality security controls as determined by a group of experts. From that list of 80 their wasn't a place that specifically counted the number of non-technical vs. technical controls BUT, there were two very interesting graphs.

The first one (figure 2 in the article. - see below) showed the top 10 with the highest level of quality implementation. It revealed that 6 are technical controls and 4 are non-technical controls. Meanwhile, the second graphic (figure 3 in the article - see below) showed the bottom 10 related to quality of implementation. It revealed that 3 are technical while 7 were non-technical.

So just running crude number here shows 11 of those 20 were non-technical controls while 9 were technical controls. The articles goes on to make the statement "...we found that of all 80 practices surveyed, management controls (non-technical controls) had substantially lower implementation ratings then controls in the technical and operational categories... Organizations must realize that a large proportion of information security problems extend far beyond technology and learn to appreciate the role that less technical controls, such as policy development, play in minimizing security breaches' impact on mission-critical operations.

So this begs the question, "when was the last time your security group considered software products that help with managing these non-technical controls instead of just technical controls?" I've talked with numerous enterprises that have installed or are investigating various software products like Vulnerability Assessment, Patch/Configuration Management, Antivirus, SEIM, data leakage, etc. Maybe it's time to do something for your non-technical controls also and consider adding IT-GRC products to that 2008 budget/priority list.

Data & Application Security demand continues to rise

noreply@blogger.com (Ryan Shopp) — Tue, 11 Dec 2007 12:38:00 +0000

If you don't have this blog marked in your RSS reader or linked from your blog roll you are missing out! The insights and candid perspectives are outstanding and extremely insightful when you take the time to read and ponder Rich Mogull's perspectives over at www.securosis.com. Here are some recent gems:

Rich recently blogged about the upcoming trend around data and application security driving the security business growth in the next 3-5 years. During that post he articulated the "rise of data security" through a very concise recap on why/how we came to where we are today.

Then I must also give major kudos to his crack editing and spoof video on public sensitive data breaches called Data Breach Wars.

It's extremely entertaining for the first 60 seconds!!! Then unfortunately it starts to drag on a little (sorry Rich, maybe if the scrolling went faster). It does drive home a key point. Data Breaches are not slowing down but increasing exponentially and will continue to increase until Enterprises take a more strategic, not just tactical approach to Security, Risk & Compliance Management of their data and applications.