- Security « Secure Thinking

Posts tagged - Security

Wednesday, March 3, 2010

Evil Memes: Toby Weir-Jones Guest Blogs for Jennifer Leggio’s ‘Social Business’

By Toby Weir-Jones, Vice President Product Management, Managed Security Solutions Group, T Global Services

Internet memes are harmless, right? Fun little things that make you giggle, right? According to Toby Weir-Jones these innocent memes have a much darker side. Today, as part of Jennifer Leggio’s RSA week guest blogger series, Toby explores the security implications of a business’s decision to enter the social media space as well as suggesting some social media-security best practices for those who have taken the plunge.

To read Toby’s post click below:

A few years ago, in 2006 – ancient history in social media – various researchers proposed methodologies to study how quickly a meme can spread. Some tried to characterize based on qualitative attributes of the meme itself, such as how funny it was, or how socially relevant, while others avoided those grey areas and focused instead on the quantitative attributes of network owners who posted links or tracked referral URLs. In both cases, the general conclusions were fairly predictable: given a good story, it can go viral and appear everywhere within hours . . .

Friday, February 26, 2010

How do you get your Board to pay attention?

By Pete Russo, Senior Marketing Manager, BT Global Services

While many corporate Boards have started to take security more seriously during the past few years, some companies are still reactive in their response to security issues. This is especially true when the news of a major security breach is the focus of news reports.

So, the question is — how do you get your Board to pay attention prior to a security incident? CIOs need to ground security issues in clear business terms that are used throughout their organization. CIOs also need to provide an understanding of the amount of control that is put in place to mitigate risks with costs outlined to mitigate those risks.

By speaking the corporate language and outlining cost vs. risk, getting the Board to pay attention to security issues will become easier.

We’d love to hear how you get in front of your Board prior to a security incident. Please drop us a comment.

Friday, February 12, 2010

Are you driving yourself insane with compliance?

By Pete Russo, Senior Marketing Manager, BT Global Services

Is compliance enough for your organization to be secure? BT’s Jason Stradley recently wrote in CSO magazine how companies confuse a completed compliance checklist with ironclad security. Interestingly, Stradley says, “… compliance is a poor excuse for security”:

Approaching this from the direction of building specific solutions or groups of solutions to answer each compliance requirement will ultimately lead to an overall security posture that is lacking basic elements and is inherently insecure. Such an approach may create a security function that is more reactionary than it was prior to having the regulatory compliance variable factored into the mix. This leads us to the undeniable realization that while a byproduct of security is compliance, the reverse couldn’t be further from the truth. Given that realization, hopefully we can all be somewhat in agreement that compliance is a poor excuse for security!

If you need evidence, look at the Heartland Payment Systems breach. This major breach has taught us that compliance alone is not enough to stop an attack. While Heartland was compliant with the PCI DSS requirements, the company still experienced the biggest breach ever involving payment card data.

Clearly, compliance is not enough. As more organizations accept this fact, we must look at how we can accomplish a comprehensive security program that is a strategic function of an organization. Here’s what Stradley recommended:

Develop a long term plan or “road map” for information security within your organization and include provisions for the known compliance requirements
Work closely with your senior business executives as you create this “road map,” so that they can understand where you are going, how it will affect their part of the operation, and it will give those business leaders an opportunity to provide you with better information to build it right the first time
Share the vision of your “road map” with your entire security organization and empower them as evangelists of that vision
To the extent that your are able, plan for potential future compliance requirements in your road map
Think of these potential new requirements as you build the various security capabilities within your organization. Try to build in the ability to adapt to new or more stringent compliance requirements without major upheavals to current processes, procedures and controls in place

By following these recommended steps, your security team will become less reactionary and more proactive. This will enable your security programs to become more valuable to your enterprise and a true strategic partner to the business.

Leave us a comment and let us know your thoughts.

Thursday, July 30, 2009

The Case for Adaptable Security, Part 6: Security Services Model

By Jim Tiller

[This is the sixth part of a seven-part series on transforming security during this economic downturn based on the thesis that what is needed today is adaptable security that both leverages existing investments and addresses the fact that the demands of the business will increasingly be a moving target. Part 5 described 4 steps to establish services-based security. This part address the flexibility needed to balance these security services with business needs and strategic changes, and introduces an adaptable Security Services Model.

Comments on this post and the series are welcome!]

Maintaining security is important, but it also demands flexibility and accepting that not all security practices are necessary or possible. As stated previously, the all-or-nothing approach to security must be replaced with a best-impact approach to security in an environment of business needs and strategic changes.

Information security experts understand the term “compensating controls” very well. The ability to accomplish the desired level of security indirectly is commonplace. This fundamental practice needs to become the underlying force for the balancing of security services. As services are defined and implemented they will have specific criteria determining scope, depth, method, and results. By design there will be areas where there may be less security being implemented than under normal conditions. Over time, security services will allow for greater adaptability (see figure), ushering in the ability to dynamically apply compensating controls far more rapidly and address more accurately current business demands.

Adjusting Security Services Model

For some, when security is not applied to a particular level the business unit is typically asked to sign-off on risk acceptance. As stated earlier, risk appetite during difficult economic times is increased and if organizations are not mindful, security groups will be reduced to processing risk acceptance forms and not implementing much needed security.

When armed with a risk assessment and tracking model that reflects business and security risk, a security services framework and an underlying governance model to communicate action effectively to the business, inter-service adjustments can be made to provide for compensating controls.

For example, assume you have three security services, each focused on performing specific tasks for various business units. By definition, not all services are applied equally to all conditions and therefore each service needs to be balanced relative to risk and mission. Through a detailed analysis and consistent views from a risk perspective, undesirable conditions may surface.

In my next post on this topic (Part 7), I’ll conclude with the importance of a services relationship model to bring it all together.

Monday, September 15, 2008

Keys to Establishing an End-to-End Security Strategy

By Jill Knesek

With the anniversary of Sept. 11, 2001, last week, I’m reminded of how security in the 21st century has changed. Today, companies are providing more access (via telecommuting and mobile workforces) to more people (partners, contractors, outsourcing). The result? An erosion of the company’s perimeter. So, how does a company establish an end-to-end security strategy?

First, secure a seat at the boardroom.

Then, think about security in terms of process, people and technology.

Process

1. Create a risk register that is built using annual loss expectancy (ALE) and present it to senior management using a risk matrix

2. Connect security policies with HR, Legal, Marketing, Finance, Facilities and Sales and audit for compliance

3. Adapt policies to support business/cultural changes

4. Have an incident management plan that includes a crisis team

5. Develop a business continuity management plan

People

1. Develop mandatory security training program and ensure compliance

2. Refresh the content periodically

3. Routinely disseminate security messages to ingrain security into the company

Technology

1. Physical security – access control with strict reinforcement

2. Network/systems security involves routine audits of networks and systems to monitor for abnormal activity

3. People Security includes security investigations, incident reporting, fraud monitoring program, intelligence/crime monitoring and travel security

If you are interested in learning more on how to establish an end-to-end security strategy, please join me on Wednesday, Sept. 17, for the “Flexibility is Key: Building a Successful Security Strategy” virtual tradeshow.