As a preface, begin with the understanding that you already have all the resources you need.

Discussions with colleagues in a large forensics accounting firm that specialize in anti-fraud investigations, money laundering and anti-terror funding (ATF), confirm what I’ve suspected for a long time. Armies of junior analysts working for the large accounting firms who have never seen or experienced a fraudulent event and are unfamiliar with the your business operation are not a reasonable replacement for careful risk analysis by the business done by people who are familiar with the business.

Step # 1- Do not do an expensive business process mapping project.

Many consultants tell organizations that they must perform a detailed business process analysis and build data flow diagrams of data and users who process data. This is an expensive task to execute and extremely difficult to maintain that can require large quantity of billable hours. That’s why they tell you to map data flows. The added value of knowing data flows inside your organization between people doing their job is arguable. There are much better ways to protect your data without writing out a 7 digit check. Here is the first one you should try out. Select the 10 most valuable data assets that your company owns. For example – proprietary mechanical designs of machines, detailed financials of a private company being acquired, and details of competitive contracts with large accounts. In a few interviews with finance, operations, IT, sales and engineering, you can nail down those key assets. After you’ve done that, schedule a 1 hour meeting with the CFO and ask her how much each asset is worth in dollars. In general, the value of a digital, reputational, physical or operational asset to a business can be established fairly quickly by the CFO in dollar terms – in terms of replacement cost, impact on sales and operational costs.

Step #2 – Do not develop a regulatory compliance grid.

There is no point in taking a non-value-added process and spend money making it more effective.

My maternal grandmother, who spoke fluent Yiddish would yell at us – ” grosse augen” when we would pile too much food on our plates. ” Grosse augen” ( or as my folks put it); is having eyes that are bigger than your capacity. Yes, US publicly traded companies are subject to multiple regulations – if the company sells to customers and stores and processes PII (personally identifiable data) they will have to deal with PCI DSS 1.1, California State Privacy Law, Sarbanes-Oxley PCI DSS 1.1 protects one asset – payment card numer and magnetic stripe, while Sarbanes-Oxley is about accounting records. Yes, there are a few commercial software products that map business processes, databases and data elements to multiple regulations; their goal is to help streamline the work involved in multiple regulatory compliance projects – eliminating redundancy where possibility using commonality.
Looking at all the corporate governance and compliance violations; cases such as Hannaford supermarkets and AOL – it’s clear government regulation has not made America more competitive nor better managed.

Step #3 – Identify the top 5 data assets in your business and valuate them

I saw an article recently that linked regulatory compliance mandate and asset cost. Definitely not true – the value of an asset for a company is whatever operational management/CFO say it is. Asset value has nothing to do with compliance but it has everything to do with a cost effective risk control plan. For example – a company might think that whole disk encryption on all company notebook computers is a good idea – but if only 20 people have sensitive data – why spend 1 million dollars on mobile device data encryption when you can solve the problem for less than 5k?

Step #4 – Do not store PII

The absolutely worst thing you can do is a project to analyse data retention and protection regulations that govern each of the sensitive data elements that need protecting, and working with legal and compliance consultants who know the relevant regulations. VISA has it right. Don’t store credit cards and magnetic strip data. It will not help the marketing guys sell more anyway – and you can give the money you save on some fancy database encryption software to the earthquake victims in Myanmar and China.

Step #5 – Monitor your outsourcing vendors

Despite the hype on trusted insiders, most data loss is from business partners. You can write a non-disclosure agreement with an outsourcing vendor and trust them, but you must verify their compliance and prevent unauthorized data leaks.

The best story I had in years was in a meeting with the VP internal audit at a medium sized bank in Israel. He took a sales call with me and I pitched our extrusion prevention technology from Fidelis Security Systems as a way to protect their customer data. He said – look Danny, we don’t need technology – we’ve outsourced everything to a very large bank and their data center security is world-class. Two weeks later, the big bank had a serious data breach event (a high school student hacked into the internal network of the bank from a public Windows-based kiosk and helped himself to some customer lists. Two months later, the small bank was reported to be looking to get out of their outsourcing contract. Don’t rely on contracts alone – use people and DLP technology to detect data leakage.

Step #6 – Do annual security awareness training but keep it short and sweet

Awareness is great but like Andy Grove said – “A little fear in the workplace is not necassarily a bad thing”. Have everyone read, understand and sign a 1 page procedure for information security. Forget interview projects and expensive self-assessment systems – what salesman in his right mind will take time to fill out one of those forms – if he doesn’t update his accounts on salesforce.com? Install an extrusion detection system at the network perimeter. Prosecute violators in real time. Do random spot checks on the read-and-understand procedure. Give demerits to the supervisors and managers if their employees don’t pass the spot check.

Step #7 – Calculate valuate at risk of your top 5 data assets

ISO 27001 and PCI DSS 1.1 checklists are great starting points but they focus on whether a particular technology, policy or control has been implemented, and not whether these controls are cost-effective security countermeasures against internal and external attackers. Use Practical Threat Analysis with a PTA risk library for ISO 27001 or PCI DSS 1.1 and you will be able to build a cost-effective risk mitigation plan based on asset values, threat probabilities and estimated damage levels.

Step #8 – Ask your vendors and colleagues difficult questions

After you’ve done a practical threat analysis of your risk exposure to attacks on sensitive customer data and IP you will be in better position than ever to know what policies, procedures and technologies are the most effective security controlss. You’ll be in an excellent position to ask difficult questions and negotiate terms with your favorite vendor. While the attitude of many companies is to hold data protection protections close to their chests, it is valuable to talk to your colleagues at other companies in the same market and get a sense of what they have done and how well the controls perform.

Step #9 – Resist the temptation to do a customer data integration (CDI) project.

Customer data is often stored in many applications and locations in a large organization. The knee-jerk reaction of IT is to do a big data integration project and get all the digital assets under one roof. There are three reasons why this is a terrible idea. (a) Most of these projects fail, overrun and never deliver promised value (b) If you do suceed in getting all the data in one place, it’s like waving a huge red flag to attackers – heah , come over here – we have a lot of sensitive data that is nicely documented and easily accessible. Companies with enterprise software systems such as SAP and Oracle Applications are three times more likely to be attacked. (c) Ask yourself – would Google have succeeded if with global data integration strategy?

Step #10 – Prepare a business care for data loss prevention before evaluating products

Despite claims that protecting data assets is strategic to an enterprise, and IT governance talk about busines alignment and adding value – my experience is that most organizations will not do anything until they’ve had a fraud or data security event. The first step to protecting customer data and IP in any sized business from a individual proprietership to a 10,000 person global enterprise is laying the case at the door of the company’s management. This is where executives need to take a leadership position – starting with a clear position on which data assets are important and how much they’re worth to the company.

Practical threat analysis is a great way to identify and assess threats to your business and evaluate the potential business impact in dollars and cents to your operation using best-practice risk models provided by the PTA Professional threat modeling tool.

In summary

Software Associates specializes in helping medical device and healthcare software vendors achieve HIPAA compliance and protect customer assets and provides a full range of risk management services, from stopping fraud to ensuring regulatory compliance and enhancing your ability to serve your customers.

There are resources that help you turn information into insight such as   Risk Management from LexisNexis, Identity Fraud TrueID solutions from LexisNexis that help significantly reduce fraud losses and Background Checks from LexisNexis that deliver valuable insights that lead to smarter, more informed decisions and greater security for consumers, businesses and government agencies.For consumers, its an easy way to verify personal data, screen potential renters, nannies, doctors and other professionals, and discover any negative background information that could impact your employment eligibility. For businesses and government agencies, it is the foundation of due diligence. It provides the insight you need to reduce risk and improve profitability by helping you safeguard transactions, identify trustworthy customers and partners, hire qualified employees, or locate individuals for debt collections, law enforcement or other needs.

What risks really count for your business? No question is more important for implementing an effective program of security countermeasures. The management, IT and security practioners cannot expect to mitigate risk effectively without knowing the sources and cost of threats to the organization.

We all depend on Web services and apps in order to run our  business and make decisions, no matter how many employees we have. Whether we are self-employed and making wedding cakes or running a global business with 14,000 employees in 40 locations, we use information systems daily to buy, sell, pay and collect from customers.

The prevailing security model predicates defense in depth of our information systems and human operation.

The most common IT strategies are to mitigate risk with network and application security products that are reactive countermeasures; blocking network ports and services with Checkpoint firewalls, detecting known application exploits with Imperva database firewalls, or by blocking entry of malicious code to the network with a Fortigate IPS.

Are any of these security countermeasures likely to be effective in the long-term? Can attacks on a business be neutralized with defensive means only? In other words, is there a “black-box” security solution for the business? The answer is clearly no.

A reactive network defense tool such as a firewall cannot protect exploitation of software defects and an application firewall is no replacement for in-depth understanding of company-specific source code or system configuration vulnerabilities.

Business Threat Modeling is a threat assessment process that employs a systematic risk analysis of business systems along with quantitative evaluation of how well removing defects reduces risk.

Business Threat Modeling is based on four basic tenets:

1. Risk analysis for production software
2. Quantitative evaluation and financial justification
3. Explicit communications between developers and security
4. Sustain continuous risk reduction

You can download the Business Threat Modeling methodology for free here and decide for yourself what risks really count for your business.

Back when I wrote COBOL/CICS applications for Tadiran Information systems – some of our work looked like what these guys in the picture are doing – standing on a scaffold, patching bricks and praying that in the next rain, the parquet floor won’t get flooded.

Most IT professionals don’t write software anymore – they evaluate, implement, maintain and support packaged applications from vendors. Firms use enterprise systems like Oracle Applications. Oracle buys companies all the time and has a large, complex portfolio of add-on products used to improve functionality of Oracle Applications, stave off the competition and up-sell customers; with products like Oracle BI Applications.

The key phrase for IT professionals is predictable processes – making sure that the evaluation process is adhered too, making sure that the implementation process of a new module or system is executed in a uniform and timely fashion (I learned these buzz words at Intel almost 20 years ago…). The most important thing (and this relates to security as well) is to ensure that the execution of business functions by people using the system also conforms to the company business process.

Security professionals don’t write software either – many do Perl and TCL scripting, and here and there a few write C code to generate custom packets for network hacking etc…Although many infosec people come from a software development background,  most of the work is about specifying,  evaluating and implementing TLA products and services; SIM, DLP, IPS, NAC, ERM, PCI, DRP, SOX.   Based on empirical evidence with clients – the majority of infosec departments are very focussed on compliance and perimeter security and  very technology and product-focussed, not unlike their IT brethren.

The key phrase for security professionals is UNPREDICTABLE EVENTS – responding to internal and external attacks on people (phishing, social engineering and terrorists), systems (hacking) and data (data loss and fraud).

IT Business applications are defined by the business and corporate business objectives.   Security activity is defined by people and organizations who don’t carry a company card and don’t care how much money a company pours into security of people, process and techology.

This is a fundamental mismatch between IT and Security groups.  Since I can’t buy into something I don’t understand – I have difficulty seeing how complex standards like COSO/COBIT help bridge the gap. Politically – the analogy of a hot potato comes to mind.

I would propose that the common ground for IT and Security practioners in a company starts with a very simple idea of brick and mortar security.    If everyone (IT, IT Security, Compliance, Risk managment and Physical Security) start thinking and talking in the same brick and mortar language of attacks, vulnerabilities, assets and countermeasures  we will be able to improve both the process and respond better to the unexpected events.

The world today is more connected, more always-on, more accessible…and more hostile. There are threats from Islamic terror, identity theft, hacking for pay, custom spyware, mobile malware, money laundering and corporate espionage. For those of us working in the fields of risk management, security and privacy, these are all complex challenges in the task of defending a business.

The biggest challenge is the divide between IT and  management. It’s similar to the events leading up to 9/11: The FBI investigated and the CIA analyzed, but the two sides never discussed the threats and the potential damage of Saudis learning to fly, but not how to land airplanes.

The two biggest security issues today for a business both from an operational and regulatory perspective are fraud and data loss. An  insider, often colluding with an outsider, can cause large scale damage to the business by manipulating transactions. Let’s take two examples – the Israeli Trade Bank case and the Israeli Trojan Horse case.

Fraud – the Trade Bank

In mid 2003, it was discovered that Etty Alon, a bank employee, had embezzled over NIS 250 million from the Trade Bank in Israel.  At her trial, she told the Tel Aviv District Court that she did not take any of the money for herself but used all of it to pay off the gambling debts of her brother, Ofer Maximov. The money later turned up in Israeli organized crime and the bank itself went under.  To this date, the banks external auditors, KPMG were never charged with negligence for not discovering the attack on the bank.

Executives look at fraud as a risk management / revenue assurance problem and IT looks at fraud as someone else’s problem.

Data theft – the Israeli Trojan Horse

In June 2005, Israel’s biggest business scandal in decades, the so-called “Israeli Trojan Horse”  hit the papers. Previously under an investigation for several months,the list of companies implicated included NASDAQ-traded Amdocs, Cellcom, Bezeq, Pelephone and YES (the DBS operator).  The victims included Hewlett-Packard and the Ace hardware chain, as well as the Globes business daily, Strauss-Elite food group, and HOT (the digital cable company. By stealing strategic marketing plans, YES was able to  stay one step ahead of HOT for over a year and half, causing HOT millions of shekels in lost revenue.

Executives look at data loss as a risk management problem and IT looks at data loss as a select-another-security-product problem.

Working with clients, we try and bridge this gap by  working with the director of security (not with IT) and convincing him or her to do a risk assessment with live sampling of transactions on the corporate network.  After the risk assessment we can help the VP security and fraud build a business case for the management board.  IT play a role as technical evaluators, making sure that the proposed security countermeasures fit the IT infrastructure.

It’s not about security technology. The technology we sell (Fidelis Security Systems XPS) is always a slam-dunk for the technical guys. It’s all about making the business case to the management board in dollars and cents and proving that there is a cost-effective, prioritized risk mitigation plan.

Internal fraud and data loss are philosophically different from intrusion prevention and anti-virus.   With anti-virus and intrusion prevention it’s about attackers from outside the organization.   With fraud and data loss, it’s about vulnerabilities INSIDE the organization. Etty Alon worked for the Trade Bank – there were no malicious hackers involved.   The MO of the Israeli Trojan was basically social engineering – exploiting vulnerabilities of employees who were given a CD with the spyware under the guise of a game.  What is the first thing you do when someone gives you a game CD for Windows in the parking lot? That’s right, you want to insert the disk in into your Windows PC on your desk in the office and give the game a spin.  In this case, the software on the CD was a keylogger and screen capture program that used outbound FTP to send data to FTP servers outside the network.

Back at the IT ranch,  they are talking about IT alignment and IT Governance.

“IT alignment helps enterprises achieve and sustain long-term success through value delivery to stakeholders,” said ITGI (IT Governance Institute) trustee Paul Williams. “To succeed in aligning the business and IT, the CEO and board need to be involved and committed.”

Dilbert could not have said it better.

For more about crossing the security and compliance chasm – read the excellent article on the Control Policy Group blog on the organizational politics of security and compliance.