A few days ago, my colleague Chris McClean asked the excellent question, "Is Risk Management Compatible with ERM?" I saw the headline come across my RSS reader and I thought, "Cool! I'd love to read what Chris thinks about enterprise rights management," a technology that I cover as part of my data security coverage. I'd advise you to read his post, which is excellent.
This morning, US President Barack Obama unveiled the outlines of a change in direction for US cyber-security policy. The first announcement relates to the creation of a new military command that will centralize and expand on existing cyber-war-fighting capabilities. This is overdue, and should bring more coherence to efforts that were already spread out between several different military branches, notably the Army, Navy and Air Force), and the intelligence services. The NSA, for example, has long had a “red-team” offensive capability in addition to defensive corps. As I understand it, the new military cyber-command will reside in the Department of Defense. Less clear is whether the new organization will just be a military operation, or whether it will also take over parts of the intelligence services’ capabilities.
The second part of today's announcements, the Cyberspace Policy Review, seeks to reform the way the US Government secures itself, its agencies and critical infrastructure like the stock exchanges. As reported in a story in the New York Times, the reforms will create a new office residing in the White House that will report to both the National Economic Council and the National Security Council. The remainder of this blog post analyzes what the plan, which was unveiled at 11 today, recommends.
As most Forrester customers know, data security has rocketed to the top of the list of CISO priorities for 2009, even considering the down economy. Our Business Data Services group has published some excellent quantitative research on this subject, which we've summarized in report form for Forrester customers. I refer you to Jonathan Penn's excellent The State of Enterprise Security 2008 to 2009 for more details. But for those of you who want the sound bite, 90% of CISOs said that data security was either "important" or "very important" on their proirity lists for this year. That trumped disaster recovery, identity and access management and regulatory compliance.
In the next few weeks, Forrester Research will release my report, Forrester TechRadar: Database and Server Data Security, Q1 2009. In this report, we describe how the risks of theft, corruption and abuse has made securing data stored on servers and in databases much harder. To help security and risk professionals plan their next decade of investments in server data security, the report describes current and future state of 8 important technologies: centralized key management, data classifiers for security, data discovery scanners, data obscurity tools, database activity monitoring, database encryption, outbound web application filtering, and tape and backup encryption.
As part of the process of researching some of the business drivers for this report, I analyzed data from DataLossDB, a public database containing information on data loss events reported in the press and to governmental organizations as required by various disclosure laws. The data makes for fascinating study, and I urge our readers to take a look at it if they want to see what's been going on in the whole area of data breaches. Best of all, I know some of the principals involved in the project, and they are doing a terrific job.
Some of the analysis nuggets we mined from the database are fascinating. I thought I'd share one here, as excerpted from the report:
As just about anybody reading the security trades knows, last week Heartland Payment Systems reported that it had suffered a serious security breach. As I understand it from public reports, a malicious party planted a piece of designer malware on a key server, and was then able to "sniff" credit card numbers as they passed through. Estimates vary widely about the extent of the breach. Certainly, SB 1386 and other disclosure laws will ensure that something resembling the truth will emerge sooner or later.
Clearly, this particular incident is a serious one. Various observers have used this incident to take issue with Heartland, the PCI DSS, their auditors and more generally the process for certifying QSAs. That is all well and good, but the non-stop parade of toxic data spills makes me wonder whether we, as an industry, aren't missing a few fairly obvious points.