Are You Down With CIP (Critical Infrastructure Protection)?

Rick Holland

I am kicking off a new research series on critical infrastructure protection.  This first report is titled: “Brief: S&R Pros Can No Longer Ignore Threats To Critical Infrastructure.”  

Critical infrastructure is frequently on my mind, especially the ICS/SCADA within the energy sector. I live in Texas; oil and natural gas are big here ya'll. I'm just a short distance away from multiple natural gas drilling sites.  I cannot help but think about the risks during the extraction and transport of this natural gas.  North Texas has seen an attempt to bomb the natural gas infrastructure. In 2012, Anson Chi attempted to destroy an Atmos Energy pipeline in Plano, Texas. As a security and risk professional, I wonder about the potential cyber impacts an adversary with Chi's motivations could have.

Read more

Enterprises In AP Must Build On Three Pillars To Manage BYOT Information Security

Katyayan Gupta

Information workers in organizations across Asia Pacific (AP) are increasingly using personal mobile devices, applications, and public cloud services for work. Forrester defines this as the bring-your-own-technology (BYOT) trend. This behavior is more prevalent among employees above the director-level (C-level executives, presidents, and vice presidents) than those below that level (individual worker, contractor or consultant and manager/supervisor). Data from Forrester’s Forrsight Workforce survey, Q4 2012 corroborates this trend in AP.

We believe that the BYOT trend will strengthen over the next two years in AP, primarily fueled by employees below the director level. Increasing options, quality and affordability of devices, apps, and wireless connectivity, coverage, and capacity will contribute to this expansion. In order to secure corporate data, organizations will need to:

  • Develop Corporate Mobile Policies: Organizations must build cross-functional teams to plan their mobile strategies. This should include representatives from different LOBs like finance, HR, legal and sourcing. Moreover, the policy must clearly define guardrails to provide flexibility to employees but within boundaries and in compliance with local regulations.
  • Identify Technologies To Secure Corporate Data: 29% of business-decision makers in AP report that the rising expectations of younger workers require businesses to push enterprise IT to keep technology current. This is why it is critical to identify both back-end and front-end technologies and suppliers that can optimize mobile device and application management in a secure manner. Focus should be on networking layer security and mobile device management solutions.
Read more

Expense In Depth And The Trouble With The Tribbles

Rick Holland

You remember the tribbles don't you? The cute, harmless looking alien species from the second season of the original Star Trek that turn out to be anything but benign. They are born pregnant and reproduce at an alarming rate. The tribbles threaten the ship, but fortunately Chief Engineer Montgomery Scott is able to transport all of the furry creatures to a departing Klingon ship.  The tribbles remind me of technology investments:

  • You start out small, but before you realize it the technology is everywhere and you are overwhelmed.  It ends up in places you never intended. 
  • Like the relaxing purr of the tribbles, the flashing lights of racks and stacks of gear gives us warm comfort at night 
  • Tribbles consume everything, just like the operational requirements of much of our technology investment: resources, budget, and productivity are all devoured.
Read more

OK, Tell Me I'm Wrong!

Edward Ferrara

Everyone knows that in business you need to do two things: Increase top-line revenue growth and reduce bottom line cost. Doing both of these is how companies grow profitably. It really is that simple. Now why is it that Information Security Officers have trouble thinking this way? Read my new paper titled Determine The Business Value Of An Effective Security Program — Information Security Economics 101 - developed for the The S&R Practice Playbook.

In the paper, I argue that we need to associate the value of information security with the value of the information assets we protect. How is this value determined, you may ask? Well, ask away, because in the paper I outline a method to determine that value. It’s simple. We live in an information economy and even though we may be a bank, manufacturer, or a retailer, at the end of the day we wouldn’t be in business without information. In many ways information is what we sell.

Think about it; if we associate information security with asset value defined by the revenue these assets produce, we would understand how to prioritize security effort and we would have a lot more productive conversations at budget time.

Join in the debate, and tell me why this approach couldn’t work in your firm. I want to hear from you.

Information Value and Risk Assessment

Edward Ferrara

 

I just wrote a paper on the value of information security. Please see the paper here. It is something I have thought about for a long time. Information security as a technical discipline but someone has to pay for all this fun we are having. My assumption is that as Willie Sutton is quoted as saying "Go where the money is...and go there often.” Today where organized crime and nation states are going is to information. It is amazingly easy to monetize certain kinds of information. There is a buyer for everything that hackers can steal. The impact to business has been debated for some time and we go to great lengths to perform risk assessments. What we don't do such a good job of is monetizing that risk. 

Consider this. If we can monetize the information asset, we should be able to monetize the risk to that asset. The key to monetizing risk is knowing the value of the asset at risk. Different systems for risk assessment have been in place for some time. They all seem to revolve around professional judgment. My argument is that using a combination of threat modeling (war planning) plus simple asset monetization will allow us to monetize risk. The results will not be perfect, but they should be directionally correct.  As Doug Hubbard says it is better to be directionally correct than specifically wrong[1].



Read more

Nine Managed Security Services Providers (MSSPs) Compete In The North American Market

Edward Ferrara

After months of diligent vendor evaluations, last week we officially published The Forrester Wave: Managed Security Services: North America, Q1 2012. This report features our detailed analysis on nine of the top managed security services providers (MSSPs) offering a robust set of security services to their North American clients.

Through this process, we uncovered a market that we believe is currently ripe for a major disruption: market demand for managed security services (MSS) remains extremely strong, customer satisfaction is higher than we’ve seen in the past, and current MSSPs tend to compete on delivery, customer service, and cost.

This isn’t to say MSSPs all currently offer the same services with the same level of quality – not by a long shot. Selecting the right provider still means that you must understand your needs and the areas you feel they can enhance your security program the most. Each MSSP we evaluated has solid overall security capabilities, but has unique strengths in certain security areas and use different deployment methods to bring their offerings to bear.

At the same time, however, we hear more decisions today come down to cost and execution, and as this becomes more commonplace, we begin to prepare ourselves for a shift in the market. In fact, we believe we’ll see significant changes over the next couple of years for three primary reasons:

Read more

InfoSec: Enterprise Architecture Building Codes

Edward Ferrara

There are many types of criminals. These include thrill-seeking hackers, politically motivated hackers, organized criminals after financial gain, and state-sponsored groups after financial gain and intellectual property or both.  Any of these have the potential to break these capabilities through information loss, or denial of service. Business processes and their associated transactions need to look at information security as a key component of any architectural design we might create as Enterprise Architects.

Security architecture is dependent on the idea of “security.”  Security by some definitions is the trade-off of convenience for protection.  When I am unloading the car and have an armful of groceries, it's challenging to unlock the front door at the same time. Alternatively I could just leave the front door unlocked but that might invite guests I had not planned for. So I trade convenience for protection.

  • Security is often seen as in conflict with business users; however, security is a process that protects the business and allows it to effectively operate.
  • Security is in response to perceived business risks.
  • Security can be seen as a benefit and a business enabler and can aid organizations to achieve their business objectives.
Read more