What's hot in information security?
Put that question to the head of the Interop 2011 information security and risk management track, John P. Pironti, and he says the question shouldn't start with security.
"We should do risk first, and then do security, to then be business-aligned and line up security with the business's risk appetite," says Pironti, who's president of risk and information security consulting firm IP Architects. "But how many security guys are sitting at the board room and given the opportunity to have input into security and risk? Not many, unless something bad happens."
Risk appetite--aka tolerance--is an essential discussion for information security and risk professionals to have with business leaders, and gauging that risk tolerance starts by asking this question: "What is your point of arrival; where do you want to be? If you're OK with losing 100,000 records, then I'll build the capabilities to deal with that," says Pironti. In fact, large organizations often say they're "OK with losing a certain amount of data, because it's not so unusual," he says.
Protecting data, of course, also requires knowing where it's stored. "We need to start out with doing business process mapping, asset inventories--both logical and physical. So, find where all of your data is, where it is, then classify the data," he says. "Account for it first, because you can't protect what you don't know about."
Of course, insiders arguably pose the biggest risk to corporate data. "For the really interesting stuff, you usually have an insider knowingly or unknowingly involved, because they're the people with the most access," Pironti says. Accordingly, "trust but verify," with risk tolerance determining how far to go in either direction.
Another hot topic is the advanced persistent threat (APT)--not least because RSA blamed an APT for the recent breach of its SecurID two-factor authentication system. "I joke around and say APT equals human," Pironti says. "It means someone isn't just putting out a shotgun approach with a bot, but instead saying I want to attack and come after you, individually." Operationally speaking, organizations need to set and enforce the right types of controls for blocking APTs.
Using cloud computing also poses risks. With traditional, packaged applications, for example, customers have been willing to deal with buggy software and endless patching cycles, and vendors that assume none of the resulting security risks, per the end-user license agreement (EULA) with which customers must agree. "Same thing for the cloud guys now--if you read their EULA, it's all in the favor of the cloud provider. They assume none of the risk," Pironti says.
Pironti put this question to some big name application-in-the-cloud providers at a recent conference: If your applications are so great, then when it comes to any downtime and business disruption, why not split the risk? "I'll take 50% of the recovery costs that I incur in my environment, and you can take the other half," he says. (Don't hold your breath.)
But the point is that using the cloud presents new types of risk, starting with uptime--or a potential lack thereof. For example, the loosely organized hacking collective known as Anonymous directed denial-of-service attacks against the websites of companies it saw as not supporting WikiLeaks. While it didn't drive anyone out of business, it could be a preview of attacks to come.
The cloud is also risky because it centralizes a lot of information in a single location. "I can have an impact across a broad spectrum by only figuring out how to compromise one operating provider's environment," Pironti says. As the recent Epsilon breach illustrates, one cloud provider might lose data--in this case, customer information--from 50 major companies.
To handle any of these threats, don't start by talking technology, because it can be a crutch. "We do a lot of things for visualization and comfort--the security blanket approach," Pironti says. "Look at all the money we spend securing data centers. When is the last time a motivated adversary came and stole the hard drives from your data center? It's faster and cheaper to do it remotely, via the Internet. But still, we bomb-proof and even missile-proof these data centers."
Instead, first catalog risks, ask how the business prioritizes them, and then secure accordingly. "The most successful CISOs who I work with are the ones who build risk management programs, not information security programs," Pironti says. "Because inside a business leader's mind, 'security' equals cost and prevention. But once you talk risk, it's back under their control. You'll get the budget."