Have you ever asked yourself the following question: Why is it that information security professionals are told to learn about other disciplines in their organizations, but that others don’t have to learn a thing about security?

You’re not alone if you’ve had this experience. I was at dinner with a group of CISOs when one with a healthcare organization asked everyone at the table: “Why is it that I have to learn about finance, or patient care, or any number of other functions in my company, and they don’t have to learn a thing about security? Does this happen to you?”

Everyone around the table confirmed that this is indeed a shared experience. There were some polite explanations and some embarrassing guffaws to explain the behavior (nothing you’d want to print in a family newspaper anyway) and it’s a rather interesting question.

Jack-of-all-other trades, master-of-your own

Why is it that Security Pro’s have to be jack-of all-other-trades in addition to being master-of-their-own?

A few brief (paraphrased) explanations I heard that evening included:

• “They’re the ones with the money. Follow the money.”
• “Security’s about how people use information and systems.”
• “They don’t understand it (security) even when you explain it at a 1^st grade-level, so be glad it’s not the other way around.”
• “Use the opportunity to show what security is doing for the business stakeholders.”
• “Security starts and ends with people.”
• “It’s always been this way, and won’t change any time soon.”
• “I wish I had people asking us to understand their business.”
• “We insist on this: it gets us into everyday life at the company.”
• “While it’s (security) about technology: it’s also about people and business procedures.”

Research results confirm the benefits

If you’d like to see what happens at organizations experiencing very different outcomes, from worst to best, then see that latest research report, Data Driven Reporting and Communication about IT: Better Results, Less Risk.

Containing findings on the very real differences in who’s involved in the information security reporting and decision-making process, the research clearly shows more people being involved means better outcomes and higher spending to manage real business risks.

The research results point to an obvious conclusion: be happy if you are being asked to “walk in their shoes and understand the business”: take advantage of it. If it’s not occurring, the research indicates you should insist on it.

Let us know what you think

Do you have this shared experience of feeling like you are a jack-of-many-trades while also being a master-of-your-own? Or is your experience different? And, what are your explanations for the behavior?

Compare the impact of your spending on information security with peers in your industry.

Step 1: Select your industry
Use the slider slider bars to select your industry, your annual revenue or budget (non-profit of government) and how much more or less you spend on information security compared with your peers. Choose how much of your industry you’d like to compare against.

Step 2: Select alternatives to improve results
Return to the Questions pane and select alternatives to improve your outcomes. Use other assessments at ITPCG to verify the impact for areas of additional spending.

In an article entitled “Flaw Found in an Online Encryption Method”, the New York Times cites research conducted by Arjen Lenstra, James Hughes,
Maxime Augier, Joppe W. Bos, Thorsten Kleinjung, and Christophe Wachter that identifies an error in the RSA algorithm amounting to 99.8%, or 2-in-1000 instances of the algorithm being used.

The New York Times

The New York Times article can be found (subscription required) here: https://myaccount.nytimes.com/auth/login?URI=/2012/02/15/technology/researchers-find-flaw-in-an-online-encryption-method.html

Sydney Morning Herald

An alternative mainstream publication not requiring a subscription can be found at the Sydney Morning Herald, here: http://www.smh.com.au/technology/technology-news/researchers-find-flaw-in-online-encryption-20120215-1t5w0.html

The original research publication

If you are interested in reading the original paper, “Ron was Wrong, Whit is Right”, by the authors, download it from this location:

http://eprint.iacr.org/2012/064.pdf

Next steps?

The flaw in the generation of random-seeds, impacting 2-in-1000 instances puts the eror at slightly more than 3 standard deviations, probably good enough for some-things, but not good enough for lots of transactions involving large numbers of the uses of the algorithm – such as on-line Banking.

The question for organizations that rely on the RSA method is: what are the downside business risks, and if unacceptable what can be done to manage the risks?

The IT networks, systems and applications of the now-defunct Canadian maker of network telecommunications switches were apparently compromised by hackers from China, according to a story written by Siobhan Gorman on the front-page of the Wall Street Journal on February 14, 2012. The WSJ article can be found here: Chinese Hackers Suspected in Long-Term Nortel Breach – which may require a subscription.

Nortel Networks hacked for a decade

The activity of the hackers was discovered in 2004, although it is believed the IT systems at Nortel were compromised as early as 2000 according to a Mr. Shields, who’s cited as being a former employee who led an internal investigation of the breach.

The Journal article claims that technical papers, R&D plans, business plans and employee emails were among the intellectual property stolen by the hackers.

SEC guidance on cybersecurity risks and incidents

In a little-noticed section of the article, Siobhan Gorman mentions the new guidance from the SEC requiring public firms to disclose Cyber-security risks and incidents. Written on October 13, 2011, the guidance from the SEC (see CF Disclosure Guidance: Topic No. 2) may be a little-too-late for creditors and companies that are acquiring the assets of the former Nortel.

The SEC states that “material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading. As with other operational and financial risks, registrants (publicly-traded organizations) should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.”

Why heed the SEC cybersecurity guidance

Had the guidance from the SEC been written earlier than October 2011, it is far more likely that buyers would have futher discounted their purchase prices for Nortel Network assets. And had the guidance been in place when Nortel was a going-concern, it is likely to have had more of an impact on share-price, earnings, and customer retention.

Going forward, some smart lawyers are going to figure out what the opportunities are and it will likely involve your shareholders’ assets if the company is not demonstrating due-diligence and adhering to the new SEC guidance regarding cybersecurity.

Think of the IT security budget as cheap insurance. Although this is new territory for the SEC and the courts, the amount spent on due-diligence and managing the business risks related to information security will likely pale in comparison to erosion of shareholder value, lost-market opportunity from thieves reselling ill-gotten gains, from fines meted out by the SEC, or by awards from courts of law.

More than a few chief information security officers (CISO’s) have told me, “What I really worry about, is what I can’t see and what I don’t know.”

When I ask these people, some friends and others acquaintances, to explain this a bit, they all mention obvious threats such as viruses and malware, as well as underlying vulnerabilities in IT systems and applications. But as we talk further, many also mention the uses – and misuses – of IT by employees and contractors, some with rather funny and others with sad tales. And some CISOs even mention a burning need to know more about their vendors because more of the organizations business risks are related to the use of IT as hosted applications, Cloud-services, off-site systems, and network services they have no control over. As we talk some more, I find we’re also discussing web-applications, hacks and Internet security threats, the losses of sensitive information, as well as user accounts and credentials that are as old as time, and have never been deleted or cleaned-out.

See the latest — free — report, Data Reporting and Communication about IT: Better Results, Less Risk, today.

In short, these CISOs are referring to any possible threat they cannot see, are unaware of, or cannot identify that can explode and cause havoc for the organization. Sound familiar? If does if you’re a CISO or you work for one.

What the best do to make risks visible

Despite well-deserved complaints about information overload, the best CISOs make sure that more information is acquired, centrally stored, analyzed and reported on. Depending on the business-impact, the information may be acquired and reported in near-real-time, to cycles involving weekly, bi-weekly and even monthly gatherings and collections.

In comparison, there is either no capturing of information, no storing of it, no analysis of what it means to the organization, and no reporting among the worst performers. Or, if there is some collection and reporting occurring among these organizations, it takes place each year for the annual budget justification cycle; not to prevent damage to the organization, its customers or shareholders.

See the latest — free — report, Data Reporting and Communication about IT: Better Results, Less Risk, today.

But for more of the best performing organizations, information relevant to business risks related to the use of IT is collected and reported on more frequently than all other organizations.

Frequency of gathering and reporting on findings about IT that impact the business

Source: IT Policy Compliance Group, 2012

What’s being collected

Almost everything; but for starters, the list includes log data from most systems in the environment, systems and software configuration data, vulnerability scan and penetration test data, findings from audit tests, surveys conducted with employees, contractors and vendors, security threat information and data, and security test report data. Not to be sublime, these people also look for the same information whether the information and systems and applications are implemented in-house or by vendors. In their words, “there’s no perimeter anymore.”

Scope of Coverage

Not only is information acquired more often, but the information being collected covers a larger proportion of business procedures, as well as application and systems in the IT environment. The number of people from which information is collected ranges from lows averaging 2-in-10 people among those with the worst outcomes, to highs averaging 6-in-10 people among those with the best outcomes. The difference in IT systems and applications from which information is gathered ranges from 2-in-10 among the worst performers, to averages of 7-in-10 systems and applications among the best performers.

Lessons learned

If you are worried about what you don’t know, and can’t see, then do what those with the best outcomes do, gather, store, analyze and report on a basis of more information — about threats and business risks — more frequently.

And, if you’d like to find out what else the best performers are doing, and why they have larger budgets, then see the latest — free — report, Data Reporting and Communication about IT: Better Results, Less Risk, today.

If you are in information security, are you already known as “Dr. No?”

If you’re not, is this what the head of information security is called in your organization?

Something happened over the course of the past thirty years that turned much of the information security profession into the “Dr. No’s” of the corporate world.

Reminds me of the song “Hit the road Jack” by Ray Charles that went something like “Hit the road Jack, and don’t you come back no more, no more, no more, no more….” A nice version of the song can be found on Youtube at www.youtube.com/watch?v=Q8Tiz6INF7I. This is the reaction many information security professionals run into after another “Dr. No” explanation with the boss.

In fact, the primary words heard from the lips of many security professionals is “You can’t do this”, “You can’t do that”, and other explanations involving the word “No.”

A business unit manager at a large conglomerate once told me, “We just avoid them (the security group in IT) and do what we want.” A CIO and a consumer products company once said, “We have these folks on staff, and I’m scared of them, so we try to minimize their impact on operations.”

We’ve done it to ourselves

A CISO at a large company recently told me and others I was with that when it comes to “Dr. No”, “We’ve done it to ourselves.” His argument is, “we’ve focused only on telling people what they can’t do” and a culture of “what can go wrong, will go wrong”, or the equivalent of Murphy’s laws for the security profession. While it’s okay to be prepared for the possible worst downside risks (that’s after all part of the job, isn’t it?), using this approach for all public communications to the rest of the organization is simply just a three letter acronym: FUD.

And, he’s right. One of the reasons why fear, uncertainty and doubt (FUD) works is that no one wants to be associated with it, but the problem with FUD is that when it’s the only thing people hear, people turn off or ignore the message. And, if it’s the only message that continues to be heard, people turn off and ignore the messenger, which often results in lower budgets and a marginalization of contributions from the security group that could otherwise help organizations improve results and avoid real business risks.

What can you do?

So, what can you do avoid being tagged as a “Dr. No” or dig-out from being seen as “Dr. No?”

Do what this CISO did: tell everyone that worked for him that the word “No” was no longer to be used. Alternatives to using “no” that were acceptable included such phrases as “You can’t do it exactly that way, but you could do it this way”, or “Not exactly but this would be more effective.” The change in language by his staff went a long way to reinforcing a change in approach that signaled a willingness to find acceptable alternatives with those darn users, business owners and stakeholders.

In addition, one of the most critical changes you should consider introducing is to re-frame all conversation about security from “no” and “yes” or “black and white”, to a new conversation involving “trade-offs”, one that put the onus for the business risk decisions back in the hands of the business owners. As in, “You can do this if you like, but here are the consequences of the business decisions. Here are some alternatives, and here are the trade-offs you’ll be making.”

Consequences of changing the culture

We’ve learned from research conducted with thousands of organizations that this risk-benefit trade-off approach is a winning formula being implemented by the organizations with the least unplanned business downtime from IT hiccups; the lowest rates of loss or theft of sensitive information and data; far fewer vulnerabilities in IT networks, systems and applications; and the fewest problems with audit in IT.

It turns out that these same organizations spend more money on information security, in every industry and by organizations of all sizes. In fact, the amount spent on IT by these firms is 3 times higher than all others, and the amount spent on information security is 1.7 times more. And, the reason for higher spending among these organizations is that IT and information security are business-relevant with choices expressed in terms of trade-offs for business owners.

The research also shows that in addition to the small things like the changes in language and approach, changing from Dr. No to a business risk-benefit trade-off culture in IT requires an ability to consistently gather information from people and IT systems, and turn this into relevant insights covering business impact status, trends and forecasts.

Instead of the annual budget challenge of digging-up some information, the frequencies range from daily and weekly, to monthly and quarterly, depending on the type of information being sought. The much more frequent rate of collection is achieved by higher levels of automation to collect, store, analyze, report and communicate the business impacts of using IT.

What’s it going to cost you?

Almost all of the IT and internal auditors I’ve ever talked with will tell you that assessing and dispassionately explaining the status, trends and forecasts of the benefits and risks is an approach that has worked for them. Now maybe it’s time for IT and information security professional to implement the same successful risk-benefit trade-off discussion and culture with business leaders.

The only downside risk or additional cost you’re going to experience is no more “Dr. No”  -  no more, no more, no more, no more!

See the latest research, “Data Driven Reporting and Communications about IT: Better Results, Less Risk, to learn more at IT Policy Compliance Group.

Use slider-bars to find out how your practices to report and communicate the relevance of IT to business stakeholders compares with others. Identify changes to your practices that will increase the value delivered by IT, reduce the risks of using IT, and lead to more funding for IT and information security.

Read the rest of this entry »

In the words of one CEO, “Until they (IT management) presented what it (IT) meant to me, I ignored it (IT). After I got it (the information), we increased spending in some areas pretty dramatically.”

We found from the research that with the exception of the best performers — those with the best revenue and profit track records and the fewest business risks related to the use of IT — information about IT that is needed to make changes for business-supported operations and strategy is largely non-existent among most organizations.

Learn what the best performers do about communication and reporting about IT and security, and how this is directly related to larger budgets. Almost all (8-in-10) of these firms say their reporting and communications about IT influences the decisions being made about IT by senior management, senior business leaders and other stakeholders.

In sharp contrast, 8-in-10 of the worst performers do not report or communicate the value of, or the risks of using IT, to anyone. And, only 1-in-10 of these organizations say that what’s communicated has any influence on decisions being made about IT by senior managers and other stakeholders.

However, the vast majority of organizations are operating somewhere between the worst and best performers. Spending more than the worst performers and less than the best performers, communication about IT at these organizations is clouded in tech-talk, unconnected to the business of the organization, and too infrequent to be meaningful. Only half of these organizations say their communications about IT makes any difference to decisions made by senior managers.

Research findings include:

- Business benefits and risks of using IT
- Communicating value and risk
- People involved in making decisions
- Focus of communications and reports
- The communication secrets that work
- Information that is gathered, stored and analysed
- Automation levels, frequencies and spending levels

Find out about the data driven reporting and communication techniques of the best performers; learn what to do to make IT as integral to the business of your organization as business units are; make IT central to increases in revenue and profits; and make information security business-relevant to stakeholders to reduce loss or theft of sensitive information, business downtime and problems with audit among other risks.

Download your free copy of the research, “Data Driven Reporting and Communcation about IT: Better Results, Less Risk” at ITPolicyCompliance Group (www.itpolicycompliance.com) – today.

Published in February 2012, the research findings contained in the report were fielded by the end of 2011.

Jim Hurley

Are you always being asked to do more with fewer resources, less time and lower budgets for IT and  information security?

Then it’s time to learn from the best performers who always have more resources, more time and larger budgets for IT and information security and who consistently report and communicate what the business impacts are of using IT. Almost all (8-in-10) of these firms say their reporting and communications about IT influences the decisions being made about IT by senior management, senior business leaders and other stakeholders.

In sharp contrast, 8-in-10 of the worst performers do not report or communicate about the value and risks of using IT, to anyone. And, only 1-in-10 of these organizations say that what’s communicated has any influence on decisions being made about IT by senior managers and other stakeholders.

However, the vast majority of organizations operate somewhere between the worst and best performers. Spending more than the worst performers and less than the best performers, reporting and communication about IT at these organizations is clouded in tech-talk, unconnected to the business of the organization, and too infrequent to be meaningful. Only half of these organizations say their communications about IT makes any difference to decisions made by senior managers.

Find out about the data driven reporting and communication techniques of the best performers; learn what to do to make IT as integral to the business of your organization as business units are; make IT central to increases in revenue and profits; and make information security business-relevant to stakeholders to reduce loss or theft of sensitive information, business downtime and problems with audit among other risks.

Is your data safe?

If you are a consumer you may want to check some of the following.

If you are in IT, you may want to check your evidence logs.

Recent events involving the loss of theft of sensitive information – of those that are known or reported – include events that are reported to have hit the following organizations, among many others:

• Video Game Plus
• Catalog Retail Marketing International
• Beauty.nl
• City College of San Francisco
• Namesco Limited
• Japan Aerospace Exploration Agency
• MDwise
• ANZ Bank
• Dreamhost

You can find more information on the above by searching on the names.

One of the more notable recent events is the huge data breach involving 24 million names, dates of birth, email addresses, phone numbers and passwords that occured at Zappos.com, an online shoe seller reportedly owned by Google.

You can find more information about the Zappos incident at USA Today and at: http://www.usatoday.com/tech/news/story/2012-01-16/zappos-security-breach/52605292/1

For those living in the European Union, there are currently no requirements that data breaches be reported. As a result, no one in Europe really knows if a data-breached occurred – even though Europe has some of the toughest privacy laws on the books.

But, new legislation is brewing in the EU that may require notifications of data breaches within 24 hours of their occurrence. See the article at PC World and here: www.pcworld.com/businesscenter/article/248566/eus_data_protection_proposals_likely_to_include_24hour_breach_notification.htm

Hackers for Hire (cheap): It’s easy to hack or to find others to do your dirty work for you and according to a recent story in the Wall Street Journal, it’s also apparently rather affordable, depending on your perspective. For more information, see the Wall Street Journal article Hackers-for-Hire: Easy to Find and at http://online.wsj.com/article/SB10001424052970203471004577145140543496380.html

Check your data: And to finish this edition of “Where’s Your Data – Today?”, we suggest members of the Chamber of Commerce in the U.S. make sure they’ve checked and changed on-line account and identify information. See the Wall Street Journal article China Hackers Hit U.S. Chamber of Commerce and at http://online.wsj.com/article/SB10001424052970204058404577110541568535300.html