Peter Kujawa CEO of Locknet, Steve Tallent from Fortinet, and I were speaking at the recent MSPWorld Conference in San Jose, California about the cloud revolution. Steve was interested in the conversation because Fortinet is now offering virtualized versions of their Fortigate UTM solution. Peter was interested because his business is built on taking the pain away that platform management entails. Obviously security intersects both of these worlds.
We discussed the changes cloud computing was making to the MSP/MSSP markets and the differences between the SMB and enterprise businesses and what motivates them to consider the cloud IaaS, SaaS, and PaaS model.
Peter talked about one of his clients – a smaller client – that managed their business from a small server stashed in the closet of their offices. Peter’s company offered to replace the box with a cloud-based system that took over patching, updates, and maintenance for the system for a simple monthly fee. The client would access their applications via the Internet. The risk to this business was huge for so many reasons. The customer leapt at the chance to get rid of the box.
In another case, I was speaking with a large client and we talked about the motivation for the cloud. Inasmuch as maintenance and support are an issue, the larger issues for large companies are the IT assets on the balance sheet. This company liked cloud because of their need to “clean up” the balance sheet. There were too many IT assets loading down the balance sheet – distorting the company's return on assets.
I think that small and mid-size businesses are the most underserved in the information security market today. These companies have not paid the necessary attention to information security, and the data indicates they will pay a steep price for not doing more.
Robert Plant, writing for the Harvard Business Review on June 4, 2013, spoke very plainly and clearly on the need for the CSO in companies today. Mr. Plant in his blog writes:
“First off, if the company doesn't have a CSO and the chief executive thinks the "S" has something to do with sustainability, just fire him. If it does have a CSO and the CEO chooses to eliminate that position, do the same thing, because it's the wrong answer. While you're firing him, inform the CEO that data security is the number one critical need for U.S. corporations today, and that the CSO is kind of like the chairman of the Joint Chiefs of Staff. You wouldn't get rid of the chairman of the joint chiefs in wartime.”
While Mr. Plant is speaking of large corporations, the reality is the CEOs of smaller firms should have the same concerns as large companies when it comes to information security. It may not seem like it, but we are at war — an economic war — and the prize is the intellectual property held by companies large and small. The number of cyber attacks is on the rise and the level of effort being applied by both nation states and cyber criminals is huge. All of us in the security field have heard this before. However, there has been a real challenge in the industry to get information security the role it deserves as a critical component of enterprise risk.
This week Deloitte announced the acquisition of Vigilant. This is important news for several reasons. With over 14,000 consultants that specialize in information security, Deloitte is the largest and broadest of any security consultancy globally. Deloitte provides customized security solutions across a broad number of vertical industries, including financial services, aerospace, defense, retail, manufacturing, technology, communications, energy and pharmaceuticals. The company's offerings include[i]:
Forrester research has always identified security as a major impediment to broad scale implementation for cloud, regardless of the model, SaaS, PaaS, IaaS, the adoption rate has been slowed by security concerns. Cloud providers recognize this is an impediment to selling cloud services and in response are strengthening their security controls. In Forrester’s Forrsights® research program we interview over 2000 security decision makers on a variety of security issues and topics. Cloud security tops the list of concerns regarding cloud deployments.
The appetite on the buy-side is very real for secure IT cloud infrastructures. Our research shows a lot of very strong interest in the deployment of private cloud platforms because of the elasticity, reduced cost and cycle times required to deploy solutions in these environments.
This week Amazon Web Services (AWS) announced that AWS GovCloud (U.S.) and all U.S. AWS Regions have received an Agency Authority to Operate (ATO) from the U.S. Department of Health and Human Services (HHS) under the Federal Risk and Authorization Management Program (FedRAMP) requirements.
Obtaining FISMA Moderate certification indicates AWS’ focus on providing strong security controls for its cloud offerings. Forrester assumes AWS commercial clients could benefit from this as well by AWS security processes propagating to other areas of AWS’ cloud business.
In the paper, I argue that we need to associate the value of information security with the value of the information assets we protect. How is this value determined, you may ask? Well, ask away, because in the paper I outline a method to determine that value. It’s simple. We live in an information economy and even though we may be a bank, manufacturer, or a retailer, at the end of the day we wouldn’t be in business without information. In many ways information is what we sell.
Think about it; if we associate information security with asset value defined by the revenue these assets produce, we would understand how to prioritize security effort and we would have a lot more productive conversations at budget time.
Join in the debate, and tell me why this approach couldn’t work in your firm. I want to hear from you.
I just wrote a paper on the value of information security. Please see the paper here. It is something I have thought about for a long time. Information security as a technical discipline but someone has to pay for all this fun we are having. My assumption is that as Willie Sutton is quoted as saying "Go where the money is...and go there often.” Today where organized crime and nation states are going is to information. It is amazingly easy to monetize certain kinds of information. There is a buyer for everything that hackers can steal. The impact to business has been debated for some time and we go to great lengths to perform risk assessments. What we don't do such a good job of is monetizing that risk.
Consider this. If we can monetize the information asset, we should be able to monetize the risk to that asset. The key to monetizing risk is knowing the value of the asset at risk. Different systems for risk assessment have been in place for some time. They all seem to revolve around professional judgment. My argument is that using a combination of threat modeling (war planning) plus simple asset monetization will allow us to monetize risk. The results will not be perfect, but they should be directionally correct. As Doug Hubbard says it is better to be directionally correct than specifically wrong.
I just finished a research document titled Measure The Effectiveness Of Your Data Security And Privacy Program for the The Security Architecture And Operations Playbook. This was a lot of fun to write, because I was able to look back at the 50-plus interviews conducted over the last year, all of them focused on the security metrics issue. This seems like such a hard question to answer. My conclusion is that many security organizations are measuring the wrong things.
There are several reasons for this. Here are a few of my observations:
We always measure this.
It’s too hard to get any other data.
Our budgets are fixed so we just do the best we can.
I reported that the managed security services market is growing in our recent Forrester Wave™ covering North American managed security service providers. Trustwave just issued a press release that announced 148% sales growth. This is a significant number in anyone’s book. It does point to the increased growth we are seeing as more and more firms consider and adopt managed services to handle some or all of their security requirements.
Last month, Ed and I spent a couple days in Paris with Orange's management team for their annual analyst event. Overall I was impressed with Orange’s innovation in business service offerings as well as their extensive global reach. Many of the large telecoms (Verizon, AT&T, Sprint, etc.) have had to and very much want to expand their business offerings. The telecoms clearly see platform-as-a-service as the natural extension of their core telecom business. Just selling bandwidth is no longer sufficient for these companies, which is in fact now a commodity business. Orange is no exception. This evolution in the telecom business model has been successful due to the industry’s ability to:
Offer endpoint and network security optimization solutions coherent with their existing bandwidth business. With their unique vantage point over the network, the telecoms are ideally placed to deliver “clean pipe” Internet service by stopping outside network threats before they reach their customers’ endpoints. For instance, Orange’s DDoS protection service can leverage their large global footprint and control over the infrastructure to gather intelligence and exercise defensive measures farther up the stack than most of their non-telecom competitors.
Steve Jobs by Walter Isaacson is a very readable and honest portrayal of one of the most influential personalities in the computer industry from 1980 to the present. Often caustic, abrupt, and driven, Steve Jobs was a man of extreme brilliance who could intuitively understand what makes a great product. His marketing and design shrewdness were without peer. Jobs had his share of failures and more than his share of successes. Apple II, Macintosh, iMac, iPod, iPhone, and all iPad reflect Jobs' ability to orchestrate human capital to create truly innovative products.
A subtext of the book, and not directly called out, however, is Jobs' awareness of the value of intellectual property and the need to secure this. Jobs shows concern for the security of Apple’s intellectual property and goes to great lengths to ensure that security. For example, he imposed strong controls on the design area where the Apple design team works:
“The design studio where Jony Ive reigns, on the ground floor of Two Infinite Loop on the Apple campus, is shielded by tinted windows and a heavy clad, locked door. Just inside is a glass-booth reception desk where two assistants guard access. Even high-level Apple employees are not allowed in without special permission.”
--Isaacson, Walter, Steve Jobs, p. 345, Simon & Schuster, Inc. Kindle Edition.
However, the contribution Jobs makes to information security is an indirect one. This contribution is the recognition that the true value of Apple’s products is in the design. It is not in the physical assets themselves. The idea and its associated intellectual property is the true tangible asset.