By Jill Knesek, Chief Security Officer, BT Global Services
A couple of weeks ago I had the privilege of attending the Managed Security Solutions Group annual customer conference. We like to get our customers together once a year, not only to offer them an in-depth view of our product roadmap, but also to give them the opportunity to give us feedback on our services and also network with their peers. As you can imagine, it’s a fascinating couple of days.
This year, I noticed there was one topic at the front of everyone’s mind: how to deal with allowing employees to bring their own devices to work. How are we going to secure our employees’ iPads, iPhones and Androids? My philosophy, which seems to be in line with those I talked with, is that we need to enable employees to use their own devices – it makes them more productive and agile workers who are quicker to respond to customer needs. But, oh boy, does it introduce some headaches!
Rather than having fewer concerns on their horizons, 2011 seems to be brimming with new challenges for CISOs. In addition to the challenge of managing non-homogenous devices, I suspect we’ll be seeing more cyber-weapons like Stuxnet and other targeted botnets. While it is true that worms like Stuxnet are designed to do harm to a specific type of systems, we need to be vigilant because we don’t know what system might be next. This time it was SCADA systems, but next time it could be financial trading systems, or transportation infrastructure. Whatever it is, we can be certain that there will be a “next time” and that the speed at which exploits can be deployed is getting faster.
But of course, as CISOs and their teams are patching and defending, they also have to be demonstrating the effectiveness and value of their security and risk management programs to the board. While I am buoyed by the fact that there are no longer any questions that the CISO should have a seat at the boardroom table, we’re still faced with the unenviable task of needing to justify spending money on an activity; that if you’re successful at it, nothing demonstrably bad happens.
I’m a big advocate of Risk Registers. and this year also enjoyed sharing how we tie our BT Security Scorecard to the business to ensure that our security strategy is properly aligned with BT’s business strategy. From my perspective, being responsible for the security of a global enterprise, risk management needs to encompass human elements as well as the purely technical elements. In putting together my organization’s risk register and security scorecard, I look at a full spectrum of risk — from the geo-political to the purely technical. Human action and human intelligence are key factors in both creating and preventing risk. If we’re just viewing risk management as something that an off-the-shelf box or piece of software can solve, then we’re missing the mark.
At the same time, I think some people are really over-thinking security. Obviously we can’t secure every last detail of our employees’ work days, otherwise they’d not be able to get anything done and we’d soon be out of business. Without a doubt, by enabling devices like the iPad and iPhone to be used at home and at work, we introduce certain risks – such as synching with iTunes which would enable sensitive data to be removed from work systems. But the thing to remember is that employees can already do this with an old fashioned USB drive.
Security is a whole practice — and we should be using everything at our disposal to equip our employees to work with security top of mind. From the moment we choose to hire an employee, we should be using background checks, vetting and a host of other tools to ensure we’re hiring good people and have robust layered protections on the back-end to ensure the business is protected if something does go wrong. But thinking that using a device alone increases our risk is both over-thinking and oversimplifying the situation we face.
