CIOs need to ensure that their enterprise has the right balance between security risks, dollars and defences.
Decades ago, a reporter asked the notorious American bank robber Willie Sutton why he robbed banks. He replied: “Because that’s where the money is.” Now the money (and valuable information) is in computers and computer networks.
The events of September 11, 2001 have exacerbated fears of cyberterrorism, but even before those attacks, the trend in computer crime was up at all levels — from vandalism to for-profit crimes. Perceptions of inadequate security perceptions led to a worldwide demand for legislation that protects personal data. In the European Union, the Data Protection Directive gives citizens the right to specify by who, how and under what circumstances their personal information can be used. California’s Database Security Breach Notification Act requires companies to notify affected individuals when unencrypted databases containing personal identifying information are accessed by unauthorised persons.
CIOs generally understand digital security threats, but IS organisations are often weak on risk analysis and prioritising effective preventive actions. My EXP colleague Richard Hunter (author of the insightful and controversial book World Without Secrets) recently headed a team working on the challenge of “how much information security is enough?” They concluded that people and process are the biggest issue, not technology.
Insiders are the biggest threat. Historically, insiders have been responsible for the vast majority of loss-bearing digital security breaches. Such losses can’t be eradicated, but they can be reduced.
- Know and verify a person’s background. In 1994 the American Cancer Society of Ohio hired an employee with three undisclosed felony convictions for theft and fraud. By 2001 that employee had risen through the IS department to become CFO and had stolen $US7 million.
- Train personnel to be aware of security policies and their responsibilities. Repeat the training regularly. Ensure that security policies are being properly implemented.
- Tie access rights to defined roles or positions. Set explicit and public limits, monitor and follow up with investigations when limits are exceeded.
Most enterprises will never achieve the world-class security awareness, focus and skill of specialist security organisations. Draw on these people to provide advice and support.
Have a formal security policy. A security policy is a set of business rules that represent the enterprise’s tolerance for risk and the security measures that enforce that stance. Policies should be based on industry standards, such as COBIT or ISO 17799, because they lay out security program criteria and the basis for comprehensive security assessment and administration. Policy provides an institutional approach to hard decisions and trade-offs. It also identifies what must be monitored, reported and flagged for further action (such as access to internal resources or particular external Web sites).
Because policy is a prerequisite to effective security, policy management is the first critical security process. To assess your processes, consider the following questions. Do you hold security architecture reviews of new applications to help ensure that vulnerabilities are not built in from the outset? Do you continuously manage user access and software configurations to prevent vulnerabilities from becoming breaches?
How close to real time are your incident responses? Some network attacks progress at a logarithmic rate, with little or no advance warning. What’s the status of your backup, recovery and business continuity planning?
Beyond these high-level processes, all aspects of security — identification, authentication, access control and non-repudiation — should be considered in the design stage for all business processes. It’s much easier to add effective security to a business process during design, than to retrofit it.
Evolve the security architecture. Enterprise security has historically been based on the fortress model: static and undifferentiated, difficult to change, location-specific and reliant on a very few mechanisms (strong walls and a locked gate). The hard, crunchy exterior protects a soft, chewy interior. Anyone outside the gate is suspect; anyone inside is trusted. Once you’re past the gate, you can do what you like.
The emerging airport security model is more flexible and situational, with multiple zones of security based on role. “Gates” to zones can employ multiple overlapping technologies for identification, authentication and access control, depending on the individual’s role and the purpose of the zone. The result is a series of fortresses within the fortress.
Point-to-point “dynamic trust” is the future model for a highly networked world. It requires point-to-point authentication and trust, from any user on the network to any other user. It uses multiple overlapping or alternative technologies and assumes that all parties to transactions must identify and authenticate themselves and prove their right to participate. Its rules-based security references individual and environmental circumstances, historical and current network and environmental status, plus additional application-level protections. This model corresponds most closely to a world heavily populated with intelligent wireless devices.
All three models are responses to specific risks and eras. The fortress worked in the mainframe era. The airport model works for most enterprises now. The point-to-point model is required for a world where high levels of commerce are conducted wirelessly, anywhere, anytime.
Keep measurements of security effectiveness. Many enterprises don’t maintain statistics on attacks, responses to attacks or the effectiveness of defences. Almost half of all Chief Security Officers (CSOs) responding to a December 2002 CSO Magazine (US) survey didn’t track all attacks or report cybercrimes to police.
Without metrics, enterprise digital security runs blind. Measures should include types of attacks (both successful and unsuccessful), perpetrators (if known), targets of attacks, effectiveness and per-incident cost of defences and losses attributed to attacks.
How should you balance risks and defences? No enterprise can ever be completely secure against all threats. The first question is: “What risks is the enterprise willing to tolerate?” That’s a business question, so it must be considered in business terms. Clear and appropriate security governance arrangements identify who is responsible for making key decisions and who carries accountability. Governance defines who has input and decision rights in particular domains. Existing IT governance arrangements can often be extended to include security.
Decide on the enterprise’s attitude toward risk. Determine whether it wants to be first to deploy new technologies in its markets, regardless of security issues. Decide how the enterprise will mitigate certain risks: Spend whatever is necessary? Change the business model to eliminate the issue? Simply tolerate the risks and accept the potential consequences?
Based on the risk strategy decisions, determine which behaviours are and are not acceptable and create a formal security policy. Also determine the security responsibilities of various parties inside and outside the enterprise. Based on the policy, choose which technologies and processes will be used to ensure enterprise security. Decide how security that’s consistent with the architecture will be implemented within each application. Centralise IT security incident and status reporting under the CSO or IT security executive. Otherwise, no one will know what attacks and responses are occurring, nor how successfully the security organisation is protecting the enterprise’s IT assets.
Balancing risks and defences is a three-phase process. First, analyse targets and threats. Be as specific as possible without bogging down. All targets are not equal. Identify and value the assets that may be at risk — business processes, markets and databases — in terms such as, loss of revenue or market share. Translate intangibles, such as loss of reputation, to economic terms by estimating the effect on sales and retention, regulatory penalties or fines.
Potential criminal profit is another way to estimate an asset’s value. For assets where a loss or compromise may injure third parties, estimate potential liabilities for negligence. Use scenarios to develop and estimate vulnerability (for major assets at least). Vulnerability = probable number of successful attacks per year (that is, total attacks x percentage of successful attacks.) The result of this phase is a list of assets with cost consequence and vulnerability for each.
Second, calculate the annual risk for each attack scenario. It’s easier to do this if you have good data about attacks on your enterprise and your responses. Calculate the risk (potential annual loss) for each scenario = cost of occurrence x vulnerability. Prioritise based on risk level. The result of this phase is a prioritised list of your risks.
Third, identify a prioritised set of risks and how these can be addressed.
Track industry spending norms. Industry norms for security spending and staffing provide an initial sanity check on total defence costs. Gartner research forecasts that industry-wide spending on security will grow to 5.4 per cent of IT budgets in 2003 (from 4.3 per cent in 2002 and 3.3 per cent in 2001).
In the next few years, many CEOs and CIOs will ask: “Our spending on security is increasing over 20 per cent per year. Are we better off?” Enterprises that increase their security spending, but don’t address changing threats and needed metrics, will come under pressure by 2004 to restrain or reduce their security spending.
Continuously monitor security arrangements. By the end of 2004, Gartner believes that 75 per cent of enterprises will be required to provide security status information to multiple government agencies. Enterprises with immature security programs will spend up to 15 per cent of their security budget to comply.
Even without regulatory requirements, Gartner estimates that the cost to mitigate the damage from a successful attack is at least 50 per cent higher than the cost to prevent it. Enterprises that focus on real risks and pay attention to their program’s risk-reduction effectiveness will receive the best return on their security investments. It’s best and cheapest in the long run to develop a capable program before being forced to act by legislation.
Dr Marianne Broadbent is group vice president and Gartner Fellow, and global head of research for Gartner’s CIO Executive Programs