At the recent Disaster Recovery Journal Fall World conference, I gave a presentation of the state of BC readiness. I had some great discussions with the audience (especially about where BC should report), but one of the statistics that really stood out for me and I made it a point to emphasize with the audience, is the state of partner BC readiness.
According to the joint Forrester/Disaster Recovery Journal survey on BC readiness, 51% of BC influencers and decision-makers report that they do not assess the readiness of their partners. If this doesn’t shock you, it should. Forrester estimates that the typical large enterprise has hundreds of third-party relationships – everyone from supply chain partners to business process outsourcers, IT service providers and of course cloud providers. As our reliance on these partners increases so does our risk – if they’re down, it greatly affects your organization’s business performance. And with the increasing availability of cloud services, the number of third parties your organization works with only increases, because now, business owners can quickly adopt a cloud service to meet a business need without the approval of the CIO or CISO and sometimes without the approval of any kind of central procurement organization.
Even among those organizations that do assess partner BC readiness, their efforts are superficial. Only 17% include partners in their own tests and only 10% conduct tests specifically of their critical partners.
For many years, security professionals have lived by the three pillars of risk management – AVOID, TREAT, ACCEPT. These great tenets have served the profession well, enabling CISOs to build appropriately secure networks at a tolerable level of cost. Unfortunately, as evidenced by the litany of security breaches we have seen over the past 12 months, it’s clear that the landscape is changing. More than ever before, security is clearly a ‘no-win’ game.
The high profile attackers, state-sponsored or otherwise, are one threat – but it goes deeper than this. The keys to the kingdom are no longer in the hands of the generals and policy makers; their decisions and discussions are enabled by email, IM and IP telephony, all of which sit firmly in the domain of the IT department and system admin – and stressed, poorly paid employees do not make the ideal custodians of such critical information. As an example, Anonymous claims to have access to every classified government database in the US, but they didn’t hack them – disaffected system administrators and employees simply opened the doors for them, or sent them the access codes.
As the broadening gap between our ambitions for a secure enterprise and our abilities to deliver on such a vision become self-evident, the time has come to pay equal attention to the poor cousin of risk management, “TRANSFER.” For many CISOs, risk transference is a topic that is largely theoretical as, even when a task is outsourced, the risk associated with a breach commonly remains with the data owning organisation. Cyber insurance offers a different solution.
Last night I stumbled across a documentary on BBC2 (content only available to UK residents – sorry!) about the human brain. One section talked about how the brain perceived risk issues – obviously an interesting topic for security folk!
A test subject was placed into a brain scanner and asked to estimate the likelihood of 80 different negative events occurring to him in the future – from developing cancer, to his house being burgled, to breaking a leg etc. Once he had stated his opinion, the real likelihood was then displayed to him.
At the end of the 80 events, the process resets and the subject is presented with the same events and asked to, once again, state his perceived likelihood, although this time with some knowledge of the actual answers.
The results are surprising.
Where his initial response had been too pessimistic, the test subject adjusted his perception to align with the actual likelihood. However, where he had initially been too optimistic, his opinion remain largely unchanged by the facts! It was apparent that the brain proactively maintained a ‘rose-tinted’ view of the risks, accommodating a more optimistic view but shunning anything more negative.
The scientists argued that this was the brain did this for two main reasons
1 – To minimise stress and anxiety, for the resultant health benefits; and
2 – Because an optimistic outlook helps drive success, support ambition and keep humanity striving for a better future.
According to our survey data dating back to 2008, despite year after year of high profile security breaches from Heartland Payment Systems to Wikileaks to Sony, security budgets have only increased by single digits. This is hardly enough to keep up with the increasing sophistication of attacks, the avalanche of breach notification laws and the changing business and IT environment.
The changing business and IT environment is perhaps the greatest concern. With a massive explosion of mobile devices and other endpoint form factors and an ever expanding ecosystem of customers, partners, clouds, service providers and supply chains, you increasingly have less and less direct control over your data, your applications and end-user identities. We refer to this expanding ecosystem as the “extended enterprise.” An extended enterprise is one for which, a business function is rarely, if ever, a self-contained workflow within the infrastructure boundaries of the company. We believe that the extended enterprise is such a major shift for CISOs and security professionals that we dedicated our upcoming Security Forum to it as well as a significant stream of research.
NVIDIA recently shared a case study involving risk calculations at a JP Morgan Chase that I think is significant for the extreme levels of acceleration gained by integrating GPUs with conventional CPUs, and also as an illustration of a mainstream financial application of GPU technology.
JP Morgan Chase’s Equity Derivatives Group began evaluating GPUs as computational accelerators in 2009, and now runs over half of their risk calculations on hybrid systems containing x86 CPUs and NVIDIA Tesla GPUs, and claims a 40x improvement in calculation times combined with a 75% cost savings. The cost savings appear to be derived from a combination of lower capital costs to deliver an equivalent throughput of calculations along with improved energy efficiency per calculation.
Implicit in the speedup of 40x, from multiple hours to several minutes, is the implication that these calculations can become part of a near real-time business-critical analysis process instead of an overnight or daily batch process. Given the intensely competitive nature of derivatives trading, it is highly likely that JPMC will enhance their use of GPUs as traders demand an ever increasing number of these calculations. And of course, their competition has been using the same technology as well, based on numerous conversations I have had with Wall Street infrastructure architects over the past year.
My net take on this is that we will see a succession of similar announcements as GPUs become a fully mainstream acceleration technology as opposed to an experimental fringe. If you are an I&O professional whose users are demanding extreme computational performance on a constrained space, power and capital budget, you owe it to yourself and your company to evaluate the newest accelerator technology. Your competitors are almost certainly doing so.