Israeli Software

At a recent seminar on information security management, I heard that FUD (fear, uncertainty and doubt) is dead, that ROI is dead and that the insurance model is dead. Information security needs to give business value. Hmm.

This sounds like a terrific idea, but the lecturer was unable to provide a concrete example similar to purchasing justifications that companies use like: “Yes, we will buy this machine because it makes twice as many diamond rings per hour and we’ll be able corner the Valentine’s Day market in North America.”

The seminar left me with a feeling of frustration of a reality far removed from management theory. Intel co-founder Andy Grove said, “A little fear in an organization is a good thing.” So FUD apparently isn’t dead.

This post will help guide readers from a current state of reaction and acquisition to a target state of business value and justification for information security, providing both food for thought and practical ideas for implementation.

Most companies don’t run their data security operation like a business unit with a tightly focused strategy on customers, market and competitors. Most security professionals and software developers don’t have quotas and compensation for making their numbers.

Information security works on a cycle of threat, reaction and acquisition. It needs to operate continuously and proactively within a well-defined, standards-based threat model that can be benchmarked against the best players in your industry, just like companies benchmark earnings per share.

In his classic Harvard Business Review article, What Is Strategy?, Michael Porter writes how “the essence of strategy is what not to choose … a strong completive position requires clear tradeoffs and choices and a system of interlocking business activities that fit well and sustain the business.” The security of your business information also requires a strategy.

Improvement requires a well-defined strategy and performance measures, and improvement is what our customers want. With measurable improvement, we’ll be able to prove the business value of spending on security.

Ask yourself these questions:

1. Is your information asset protection spending driven by regulation?
2. Are Gartner white papers your main input for purchasing decisions?
3. Does the information security group work without security win/loss scores?
4. Does your chief security officer meet three to five vendors each day?
5. Is your purchasing cycle for a new product longer than six months?
6. Is your team short on head count, and not implementing new technologies?
7. Has the chief technology officer never personally sold or installed any of the company’s products?

If you answered yes to four of the seven questions, then you definitely need a business strategy with operational metrics for your information security operation.

Read more…

Compliance is about enforcing business process – for example, PCI DSS is about getting the transaction authorized without getting the data stolen. SOX is about sufficiency of internal controls for financial reporting and HIPAA is about being able to disclose PHI to patients without leaks to unauthorized parties.

So where and how does DLP fit into the compliance equation?

Let’s start with COSO recommendations for internal controls:

“If the internal control system is implemented only to prevent fraud and comply with laws and regulations, then an important opportunity is missed…The same internal controls can also be used to systematically improve businesses, particularly in regard to effectiveness and efficiency.”

The Control Policy Group is presenting a series of 6 free online workshops starting Sep 3, 2009 at 15:00GMT. The first workshop, “Using data security metrics and a value-based approach”,  will teach measurement of how well  security tools reduce Value at Risk in dollars (or in Euro) and how well they will do 3 years from now.

The Control Policy Group is providing these workshops as a free service to the security and risk professionals community after having identified a gap between the security practioner and the management board.

The gap is this: the management speaks the language of money and security practioners speak the language of technical security countermeasures like DLP, database security and messaging security.

From a management board perspective, budgets for security projects like DLP are a capital cost in a down GFC economy – Control Policy Group clients in Europe and the Middle East have slashed down security and risk budgets about 50% since the beginning of the year.

From a security and risk practioner perspective, data breaches went up almost 50% in 2008, there is more phishing, more web defacing, more Web applications to secure and yet – less head-count and capital budget to do the job.

In order to close the gap – the Control Policy Group have built a model that helps an organization measure how well a new security product reduces Value at Risk in dollars (or in Euro) and how well it will do 3 years after you buy the technology.

Modern security tools are good at discovering exploitable vulnerabilities in the network, Web servers and applications.  However – since these tools have no notion of your business context and how much you value your information assets,  it is likely that a company’s security spending is misdirected.

This series of workshops is designed to help the security and risk team  take a  leadership role in the board room instead of waiting for vendor proposals. Through specific Business Threat Modeling(TM) tactical methods, you will learn how to quantify threats, valuate your risk and choose the most cost-effective security technologies to protect your data.

Data security is not one-size fits all.

For example, if the threat scenario is an attack on your customer self-service Web application – obfuscating or encrypting fields in database tables is not an effective security countermeasure;  you need a network DLP solution to prevent leaks of clear text data and a software security assessment that will help you get rid of the bugs that make your Web application vulnerable.  On the other hand, if the threat scenario is sales representatives working in stores in shopping malls using unmanaged PCs and leaking customer data; you need an agent DLP solution.

How do you decide what is the DLP solution for your business?

Read more…

Martin Hellman (of Diffie Hellman) fame maintains the Nuclear Risk web site and has written a very insightful piece on risk analysis of nuclear war entitled Soaring, cryptography and nuclear weapons

Hellman proposes that we need a  third state scenario (instead current state – > nuclear war) where the risk of nuclear holocaust has been reduced by several orders of magnitude from today to an acceptable level.

This makes sense and it’s an intriguing idea as an exercise in risk analysis of information security and data protection to see if there is a third state of reduced risk that where the risk of data breach and major data loss events is reduced to acceptable levels.

That’s one thing that got me thinking.

The second thing is the quote from Fyodr Burlatsky, one of Khrushchev’s speechwriters and close advisors, as well as a man who was in the forefront of the Soviet reform movement:

In Krushchev’s eyes [America insisting on getting its way on certain issues] was not only an example of Americans’ traditional strong arm policy, but also an underestimation of Soviet might. … Khrushchev was infuriated by the Americans’ … continuing to behave as if the Soviet Union was still trailing far behind.

So here we are – 2009 and President Obama is insisting on getting his way on certain issues with the  Iranians, who pose a serious nuclear threat to the world.  But no only Ahmadenijad – the Russians and the North Koreans are also  infuriated by the Americans’ … continuing to behave as if they are still trailing far behind.

I think it’s only a matter of time before someone exploits a wireless mesh network that controls and reads home utility meters to get free water and electricity.

Until then, there is a problem of range and coverage.

Greentech media reports that Trilliant ( a smart meter neighborhood networking startup) has bought SkyPilot for it’s long range, WiFi-based communications. Skypilot (with over 500 customers in 50 countries – utilities, wireless Internet service providers (WISPs), and municipal agencies – deployments exceeding 50,000 devices) will help Trilliant get to the next stage. Read more…

Data security compliance regulation such as PCI DSS 1.2 is a double-edged sword – as a security checklist it’s an important step for the payment card industry but too much regulation, especially for small to mid-sized businesses is too much of a good thing.

As my maternal grandmother, who spoke fluent Yiddish would yell at us – you have ” grosse augen” when we would pile too much food on our plates. ” Grosse augen”  is literally “big eyes” – having eyes that are bigger than your capacity.

Read more…

Keeping the organization robust in a highly dynamic threat environment

Our capacity to predict will be confined to . . . general characteristics of the events to be expected and not include the capacity for predicting particular individual events. . .Yet the danger of which I want to warn is precisely the belief that in order to be accepted as scientific it is necessary to achive more. This way lies charlatanism and more. I confess that I prefer true but imperfect knowledge. . .to a pretence of exact knowledge that is likely to be false.

FRIEDRICH A. HAYEK

“The Pretence of Knoweldge,” Nobel Lecture

Modern information security models usually assume a pre-defined defensive structure of  networks, systems, procedures, defenders and attackers – the properties of which usually specified by vendors (i.e. defining the problem by the solution).

The problem with such models is that, in reducing the organization to passive executives of defense rules in their firewalls, they ignore the extreme ways in which attack patterns change over time. Any security policy that is presumed optimal today is likely to be obsolete tomorrow. So – learning about changes is at the heart of day-to-day security management. Read more…

For a change – ethics based regulation that differentiates between the medium and the message.

Dr. Jean Ah Kang, works at DDMAC and is in charge of Web 2.0 policy development. She speaks very well at her interview with  Mark Senak, a regulatory affairs lawyer ( eyeonfda.com ).  Here is the podcast:  FDA’s views and ideas about social media and its use in the life sciences industry.

User-Driven Design versus User-Centered design

Alan Cooper, in his book The Inmates are Running the Asylum, draws a distinction between user-centered design and user-driven design. User-driven design is about collecting, prioritizing and implementing a system to the user requirements – we’ve all been seen software development projects where the requirements spiraled out of control and the project was a painful flop. On a project like that – it’s best to detect the warning signs early on and bail out in order to save your sanity and reputation.

User-centered design, on the other hand, is about listening carefully to the user and implementing friendly, reliable, fast and secure software that meets the user business requirements.

There is a lesson to be learned here for data security and data loss prevention -

Read more…