Meet the Bloggers Twitter BTSecureThinking YouTube Channel Blogroll About BT Looking for more?
BTSecureThinking Resources center

SecureThinking > Tags

Posts tagged - CISO

Friday, November 18, 2011

There is no ROI for Security

By Toby Weir-Jones, Vice President of Product Development, BT Counterpane

We’ve heard that many times, probably just as many as we’ve seen attempts to prove the statement wrong.  Like car insurance, there is no incremental ROI in the literal sense.  You don’t see your wallet get fatter as a result of buying a policy.  Remember what insurance is for, however:  it provides a fixed payout on a variable risk.  Your premiums pay for coverage up to a certain amount (the fixed payout) which you can access in a wide variety of circumstances (you hit someone; someone hits you; your car is stolen).  There is non-monetary value to be found in the knowledge that your policy is in place and up to date.  You don’t need to squirrel away funds for a rainy day, so you can use that capital for other purposes.

In the information security space, we invest in technologies which hopefully improve our organizations’ ability to respond to unknown threats.  We evaluate their effectiveness by combining increased visibility to the types of things they control with some kind of commercial assessment of how important those things are to our businesses.  IPS tells us what kinds of known exploits or other malicious activities are on our networks; our knowledge of whether our networks are vulnerable to that activity tells us whether it is helpful information or not.

CISOs need to focus on seeing combined benefits across their projects, ideally by having them all feed into a common reporting scheme.  For example:

A large enterprise has deployed various technologies across the estate (PKI, secure messaging, IPS, next-gen firewall, monitoring, scanning).  Each of those activities generates its own reports, highlights benefits/errors/exceptions, and generally chatters away on its own. 

Next year, the Board indicates that budgets need to be trimmed 15%.  How does the CISO respond?

You can’t authenticate 15% fewer transactions

You can’t sanitize 15% fewer messages

You can’t deploy 15% fewer IPS signatures

…etc. 

Historically what we’ve seen is stretching out the lifecycle of deployed technologies, so instead of replacing something on a 3-year cycle, push it to 4 or even 5.  And, inevitably, the plans to increase headcount feel pressure.

But the other area, which is perhaps hardest to measure, is suspending new projects.  So perhaps the original plan had called for replacing the message hygiene, IPS, and FW platforms with new UTM capabilities.  If the budget pressure can be met by suspending that, it’s likely the project would be deferred, even if OpEx increases as a result.

And that’s the crux.  Quantifying benefits derived from security investments is difficult, much like quantifying benefits from auto insurance, if you haven’t had to file a claim.  But continued spend on maintenance as a ratio of technical capabilities realized is unavoidable, and a useful starting point.  You need to be honest about those capabilities, since obviously you could be entirely self-serving in reporting the model, and every firm will have a ratio which is right for them. 

But that gives us the common reporting scheme I mentioned at the start.  For any given product category, its features will fall into one of a small number of buckets:

1)       Obsolete

2)       Industry-comparable

3)       Unique/vendor-specific

Anything on this list needs to be individually demonstrable.  So if a mail hygiene system has the ability to remove viruses and malware, you have to be able to measure both the number of such items removed, and what percentage of the total that number represents.  If it can’t be measured, it can’t be treated as a discrete feature on the product. 

Each of those will, in turn, have a utility value for the individual enterprise.  I would suggest using a scale of 1-4 would be appropriate, where 1 is the least useful and 4 is the most.

The sum of each feature’s category and utility values gives you a broad view which you can plug into the ratio with corresponding spend.  And it separates you from worrying about how to quantify benefits only when catastrophic events occur.

CISOs are among the best-positioned to drive schemes such as this into the corporate rhetoric.  They can avoid the impassioned defense of individual vendors by focusing on product categories first, and they can frame the results in commercial terms to other members of the senior leadership team.  This isn’t a scheme to provide an exhaustive analysis, it’s a rough-cut sorting mechanism to provide one incremental level of improvement over how to present value equations to peers.

Posted at 10:20 AM in SecureROI | No Comments »
Tags: , , , , , , , , , , , ,

Bookmark and Share

Wednesday, October 26, 2011

Insight…Takes us to the Right Places….

By Ray Stanton, Executive Global Head of Business Continuity, Security and Governance, BT

The last month has been an extremely exciting time for me; I have had the opportunity to spend an immense amount of time with many of our key customers at two annual events that BT sponsors and hosts. The first was at the annual congress for the Information Security Forum in Berlin; the event was attended by a strong BT Team and was hosted locally by BT’s German lead for Security Frank Kedziur; with presentations by Bruce Schneier, Paul Kearney and myself. These were combined with many customer meetings allowing us to explore conversations across our whole BT portfolio not just security.

I was specifically asked by the ISF to present on market trends, BT’s views and insight from my personal involvement with the World Economic Forum (WEF) on Risk in a Hyperconnected World. This presentation focussed on driving even more security into our business strategies, ways to engage key stakeholders within business and looking at the tensions that exist between priorities of CIOs and CISOs. Further, I brought insight into how the WEF program has identified the need to improve trust relationships and enable growth in a connected world, not inhibit it.

What came out of the session in particular was the reinforced need to ‘talk business language’ and for CISOs to not revert to type and talk in three letter acronyms, descend into discussions on this or that RFC or this or that technical standard. There is the need to communicate at the right levels and in the right way to represent our teams and our needs.

I also had the fortune to join our annual Managed Security Services Conference in Miami and again this included many one to ones with our customers. A great experience for all of us there to spend time discussing today’s issues, the BT portfolio, its shape and direction. Insight…takes us to the right places…

Speaking of getting to the right places, click here to watch a video of me being interviewed in Dalian and talking about the risk and identity management in the banking and financial sector.

Posted at 12:26 PM in SecureStrategies | No Comments »
Tags: , , , , , , , , , , , , , , , , ,

Bookmark and Share

Friday, September 16, 2011

What Does the Future Hold for CISOs?

By Tara Savage, Senior Marketing Manager, BT Global Services

From September 18-20, 2011 Berlin will be awash with network security experts for the Information Security Forum’s Annual World Congress.  Ray Stanton, BT’s Vice President of Professional Services has been invited by ISF to present predictions on major security trends.

Fresh from his presentation on ‘Risk in a Hyperconnected World’ at the World Economic Forum in Dalian, China, Ray will draw on his many years of experience and expertise in the field, as well as on feedback form world leaders at the WEF to present on  issues that will loom large on the agenda of CISOs and  CSOs in 2012.

If you can’t make it to Berlin and attend Ray’s session in person check back next week to read-up on his presentation.

Posted at 9:15 AM in SecureStrategies | 1 Comment »
Tags: , , , , , , , ,

Bookmark and Share

Friday, June 3, 2011

Recognizing Security around the World

Tara Savage, Senior Marketing Manager, BT Global Services

Information security is a global issue that is vital to protecting critical assets within global organizations.  From managing risks to ensuring availability of systems and resources, a global organization can not expect to manage and grow its business without the proper security programs in place.  For readers of SecureThinking, we highlight security issues and trends around the world as well as recognize our global security team for its successes. Our first stop…India.

This past month, our very own Sabyasachi Chakrabarty won recognition in the first-ever CISO 100 Awards. This award brings to light the contribution security officers make in the shaping and securing the integrity of businesses in the most effective manner and deliver business value, by creating competitive advantage, optimizing business processes, enabling growth or improving relationships with customers.

Chakrabarty understands the global challenges of customers. As regional security manager for APAC, he works day in and day out with enterprises that are challenged to optimize budgets, resources and time.  They juggle the cost of prevention against the cost of risk and remediation, and often have to consider the benefits of outsourcing versus on-premise security.

For his exceptional work, Chakrabarty accepted his award at a ceremony in Mumbai and said “I hope the award will benefit BT, too by raising awareness of the company and highlighting the importance it places globally on information security.”

Congrats Sabyasachi and BT on this accomplishment!

Posted at 5:12 PM in SecureServices | No Comments »
Tags: , , , , , , ,

Bookmark and Share

Monday, May 9, 2011

A Quantum Leap for CISOs

By Vaune M. Carr, Principal & Security Practice Lead, BT Global Services

The role of the federal government Chief Information Security Officer (CISO) is poised to take a quantum leap forward this year.  When it first appeared on government agency organizational charts in 2002, it was primarily designed for reporting to Congress to meet the requirements of the “Federal Information Security Management Act.”  Legislation currently being considered by the Senate would not only give the position budgetary authority, but it also would be a required position for every agency. 

What will this mean to the overall risk landscape and the security posture of the federal government?  What will it mean to the private sector?  How will it be implemented?

The Challenge — An agency or private sector CISO must possess a certain level of expert communications skills.  One must keep in mind that connecting the bottom line to security issues is more of an art than a science.  Speaking in business language, not IT-speak, is challenging for many individuals who spend 90 percent of their time managing the very technical scope that makes up a security program.  But meeting the goals of both business and IT objectives requires a good risk-management program – it’s a challenge that CISOs must face.

Change is Necessary — I hear repeatedly that the CISOs like to be consulted first before their businesses take an action that will intentionally expose the organization; and, presumably, with this new mandate, the CISO will be consulted.  However, knowing how to explain the risk exposure in business terms is crucial to a CISO’s success.  Ultimately the decision belongs to the business leader as to whether or not a risk will be taken, mitigated or insured. When the right information is presented so a leader can make an informed decision, the rest is out of the hands of the security officer.  Helping leadership make risk-based decisions will ensure the CISO will be consulted in the future. 

Becoming One with the Business — Once a CISO becomes a trusted business advisor, the role is destined to be “one” with the business.  The key is to make the role effective.  How will a CISO get to the information needed to present the business case?  No doubt this requires automation and monitoring to ensure the information is timely, accurate and directly applicable to the business decision in play.  That is how “effective” is defined in dealing with security risks. 

The Impact to the Private and Public Sectors?  Take the risk of social media today for the government.  Understanding the risks of social media use can mean the difference between “exposure of government secrets” and an awareness of the ease with which social media can provide too much information to the wrong people at the wrong time.  By properly outlining the risks and suggesting guidelines for reducing that risk, the CISO can provide the means to implement the technology with the proper attention.  With budget authority, the CISO also can introduce adequate controls.

Overall Risk Reduction — The bottom line — the mandatory introduction of the CISO role within government agencies with budgetary authority is going to reduce the risk to national security.  The fact that the need for the CISO in managing risk is now recognized by Congress is a significant step towards making the government able to manage risk.

There is no doubt, much more is coming in the way of Governance, Risk and Compliance (GRC) for organizations, all directed towards managing risk in an ongoing program.

Posted at 2:40 PM in SecureStrategies | No Comments »
Tags: , , , ,

Bookmark and Share

Wednesday, February 2, 2011

PART #2 — Security and Fraud: It’s all about the threats

By Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services

In Part #1 of this series, Security and Fraud: Do we need to be fraud experts?, I attempted to define and separate security from fraud, expressing that security includes controls that seek to protect assets from an endless sea of threats.  Although traditional threats are increasing in number and impact, there is also an alarming increase in highly sophisticated threats that launch attacks in a manner that make typical security controls less effective.  Threats essentially are operating in a way that challenges normal expectations.

We use terms like “script kiddy” to express capability, sophistication, applicability, and even potential.  We know that some threats are smarter than others and therefore require more comprehensive security controls and more investment to combat and defend against.

However, today’s threat condition is different with the advent of threat organization, sophisticated easy-to-use tools, entangled technology, and a far more complex business infrastructure.

Moreover, the “community” of threats has expanded exponentially.  For example, with today’s tools, someone with virtually no computer skill can be quite effective.  Additionally, yesterday’s script kiddy, with minimal knowledge and empowered with the right tools and services, can perform attacks that previously were relegated to the top 5% of highly sophisticated and impactful threats.

At this point, we have an exponential increase in the number of threats and the power of threats, allowing all levels to perform attacks that used to come only from the upper echelon of the threat community.  Traditional threats – the types of attacks we’re most prepared to address – are growing in volume.

What the heck does this have to do with security and fraud?

Years ago, for hackers to get deep within your environment and perform seemingly authorized activities to steal money or assets meant they were very good and fell into the top 10 percent of threats, which you had previously accepted as a risk.

The cost was too high to address, and given the small community of such threats, the probability was low. The problem is that 10 percent has increased substantially, as has the size of the community.  The odds of a threat becoming integrated are higher, but the security controls to defeat those threats have not or were never put in place due to the acceptance of the risk.  

Therefore, one could conclude that our enemy is very much among us and performing normal, authorized activities.  The question becomes — what is normal?  This is a huge shift from traditional security, which is arguably pointed at the threat as alien or something performing unauthorized actions.  Determining what is normal and acceptable means defining it and seeking to detect exceptions based on that model.  It’s becoming more difficult to simply write off certain risk, and the cost of addressing those risks remains virtually insurmountable.

So if we cannot obtain meaningful controls (due to cost and lack of substantive technology), we must accept that threats will infiltrate the environment in a manner that may appear as normal and acceptable behavior.

In the next post, I’ll cover what is “normal” and give examples of what some organizations are doing to thwart embedded threats, giving credence to this trend.

Posted at 2:18 PM in SecureStrategies | 1 Comment »
Tags: , , , , , ,

Bookmark and Share

Monday, August 9, 2010

What CSOs Talk About at Dinner

By Jill Knesek, Chief Security Officer, BT Global Services

Last week I had the pleasure of meeting with some of Chicago’s outstanding CISOs and CSOs.  We met for dinner to discuss those thorny and gnarly issues that keep us working overtime to make sure that our companies are secure and our employees excel at work.  So, what was on our menu that night?

The first hot topic was methods of securing data across companies with disappearing perimeters.  BT, like many companies, works to enable its workers to literally work anywhere to boost their productivity and enhance their work-life balance.  But as the office walls disappear, new challenges abound.

While we touched on what value firewalls and IDSs provide, much more time was spent discussing endpoint security, such as personal firewalls, antivirus products and good patch management processes.  I see particular value in hard disk encryption on laptops, which renders stored data nearly useless to thieves. 

Obviously, mobile devices are top of mind for us.  Not only do we have to worry about laptops — with more companies supporting a “BYOD” (bring your own device) policy, we have a whole new set of things to be concerned about.  For example, it seems inevitable that companies will need to let employees bring their own hardware platform into the workplace.  And, while we all love our iPads, iPhones, Blackberries, and Android phones, with hundreds of thousands of apps available for download and many thousands more becoming available each day, how do we secure them?  While I wish I could say that we came up with a solution during dinner, this topic, for now, still generates more questions than answers.

The other topic that provoked a great deal of discussion as the economy emerges slowly from recession is how we secure new acquisitions.  The biggest problem facing CSOs in this area is — how do we change the culture of a new acquisition without breaking the business model that made them a desirable target?  But, the bottom line is that at the end of the day, CSOs are responsible for the security of all company assets, whether organic or acquired.  From my view, the key is good communication with the acquired management team and a strong security awareness campaign, since employees remain our first line of defense.  After that, it comes down to pure risk management and understanding the biggest threat against the acquired company — and mitigating that piece first.

And, from that discussion, we found ourselves deep in the nitty-gritty of Risk Management.  I know this message is getting tired, but the reality is that having a mature risk management program with real stats and data to back up your risk register can be a great tool in communicating at the boardroom level.  We can’t be Chicken Little, but we do need to rely on cold hard facts that resonate with the senior management team. 

The example I used was how to relate a fraud case to the senior leadership team in terms of revenue lost from the bottom line.  For example, if you lose $1 million in a fraud, how much revenue would it take to make up for that net loss?  Well, if the revenue was from a service with a 15% margin, it would take nearly $7 million in new revenue to make up for the loss.  Putting the cost of crime in terms of revenue helps the CFO and senior management appreciate the importance of reducing crime through security.

By the time we reached dessert, we’d hashed through these and other very interesting topics.  And, while we didn’t come up with concrete solutions or definitive answers, we learned a lot from sharing our common experiences and unique responses. 

I’d like to thank everyone who came and invite you all to carry on the conversation in cyberspace.  Leave a comment below, or let me know what you think in the Security Leaders Group on LinkedIn.

Posted at 7:19 PM in SecureServices | 1 Comment »
Tags: , , , , , , , , , , , , , ,

Bookmark and Share

Tuesday, July 20, 2010

CISOs to the Rescue!

 

By Jill Knesek, Chief Security Officer, BT Global Services

There aren’t many times I check in on the trade publications and see an article that really hits on the issues faced by the C-level audience in the security sector.  Frankly, we’re an unusual bunch, with very specific interests, issues, and concerns.  But recently, I saw an article by Ernie Hayden at searchsecurity.com that got to the heart of some of the compliance issues that I know I face and I’m sure you grapple with, too.

Approaching compliance from the standpoint of managing processes, Hayden outlines five key propositions that can help guide decision-making and apply as equally to PCI as to NERC.  His top picks are:

  • Your fundamental obligation to the company is to protect data and prevent loss
  • You should know the ins and outs of the regulations your organization is held to
  • View training and awareness as key components of your compliance strategy
  • Understand the root cause of any issues related to compliance
  • The organization should be kept under constant pressure to be in compliance

To read Hayden’s entire article – “How to manage compliance as Chief Information Security Officer (CISO)” — click here

And if you’re a C-level or senior security officer in the Chicago area and would like to continue this conversation over dinner, I’ll be hosting a BT Security Roundtable in Chicago on July 28.  To learn more about the dinner, please contact our Chicago-area managed security solutions specialist, Kurt Luporini.

Posted at 3:24 PM in SecureCompliance | No Comments »
Tags: , , , , , , , , ,

Bookmark and Share

Friday, May 28, 2010

‘Anatomy of a CISO’ includes BT’s Knesek

By Pete Russo, Senior Marketing Manager, BT Global Services

In a recent Q&A with Infosecurity Magazine, Jill Knesek, chief information security officer (CISO) for BT Global Services, shared her thoughts about working as a CISO and the state of the security industry in today’s global marketplace.  Knesek says that protecting data is increasingly difficult given that multi-national corporations, like BT, are dealing with the complexities that come from doing business in a “borderless information society.”

So what does it take to keep your eye on that moving target and make it to the CISO level? According to Infosecurity, a CISO must be a people-person with a sound knowledge of the information security landscape and someone who must take responsibility for everything from information security policy development for a company to training and awareness and regulatory compliance.  And, as the CISO, the “buck stops with you.”

What do you think is the most pressing data protection issue facing companies today?

Posted at 6:04 PM in SecureStrategies | No Comments »
Tags: , , , , ,

Bookmark and Share