Israeli Software

A few months ago I wrote about The Black Swan of Security – how major data loss events have 3 common characteristics -

1) A major data loss event appears as a complete surprise to the company .

2) Data loss has a major impact to the point of maiming or destroying the institution (note the case of Card Systems)
3) Data loss is ‘explained’ after the fact by human hindsight (Hannaford Supermarkets, Bank of America…hackers, viruses, drive-by Wifi attacks…)

A colleague of mine, who is a mathematician by training and banking executive by vocation, saw one of my presentations on Black Swan Data Security and  told me I must read Imperfect Knowledge Economics by Professor Roman Frydman from NYU. I’ll take it out of the library, as soon as I can get over to the Hebrew U on Mount Scopus. Everything Roman Frydman and Michael D. Goldberg write about economic models surely holds true for information security today.

Why do our security threat models fail to account for what happens in in real-world and cyberspace? What drives the aggregate outcome of a multi-billion dollar security and compliance industry (1 percent of the US GDP) that fails to prevent the GFC and data leakage of over 250 million credit cards? Is “self-interest” really sufficient to understand security rationality? What is the role of history, the social context and common values in protecting digital assets and systems? How should threat models be used by policymakers and professional investors?

To paraphrase John Kay, writing about the book in The Financial Times,  “the quest for advanced security technology gets in the way of useful security countermeasures.”

One of my pet peeves with security vendors like Symantec, Vontu, Websense and Checkpoint is marketing collateral that totally disregards the basics of security – it’s like they hired an English major straight out of school and told them to start writing. Sensitive assets, confidential assets, proprietary assets – you can make a total mishmash as long as you mention compliance, SOX and HIPPA at least 3 times in the article.

Since the business situation, corporate culture and IT infrastructure of every company is different, we believe that it is incorrect to choose security countermeasures on the basis of product features – especially when vendors provide pseudo-risk-management justification for their offering – read Andrew Jaquith on the hamster wheel of pain

We submit that selection of security countermeasures requires measuring their effectiveness against a particular threat. Read  more about this revolutionary idea on Preventing intellectual property abuse and you’ll see exactly how to choose a security product using a practical threat model – visit Practical Threat Analysis and download the free software.

Pop question No. 1: What percent of your employees send sensitive company documents  to their Gmail accounts?

Pop question No. 2: When you layoff 15 percent of your workforce, should you fire the information security manager a) First, b) Last or c) Give her an incentive to help ensure that a data breach of company IP and customer lists doesn’t happen

With all the 30,000 foot strategic talk from Gartner and IDC about enterprise risk management – I think that most CEOs are blindsided when a data breach happens – having ignored issues of data theft during organizational changes or assuming that  information security is a “given”.

In a large firm – the CEO delegates the responsibility to the CISO, who has a dedicated team for security and compliance. In smaller companies that don’t have dedicated security  functions, the responsibility for information security falls on the IT department.  IT tends to see security as a technical overhead that gets in the way of running the ERP systems. IT security becomes a issue of  security products,  policies and procedures for appropriate Internet usage.

A company with current best-practice security such as Checkpoint firewalls, ISS IPS, Symantec SIM (security information management system)  will be  totally unaware that most of their employees send company documents to their personal Google mail accounts on a regular basis.

Monitoring of outbound mail based on some fairly simple metadata parameters (like filetype and email domains) can be a highly effective way of improving data security.   You don’t necassarily need to do deep content inspection but you must be prepared to monitor for violations and act quickly on corrective action.  It’s as simply as seeing the event in real time with an extrusion detection system like Fidelis Security Systems XPS and walking over to the employee and asking her not to send the company’s 2009 sales forecast to a private Google mail account.