Hurricane Sandy Shows A Dramatic Improvement From Botched Katrina Response

Stephanie Balaouras

My house sits atop a hill overlooking the Atlantic Ocean (hence, the neighborhood name of “Beachmont”) and was built sometime in 1890. It’s one of the tallest houses in the neighborhood and as I write this post, my house is swaying back and forth from 50 mile an hour winds (I’ve been told it’s meant to sway which is somewhat comforting but not entirely) and from my porch, I can see waves crashing over the sea wall and slamming into my neighbor’s homes below me. Needless to say, I have a vested interest in the emergency response to Hurricane Sandy.

There will be time for more detailed analysis later but here are just some initial observations and thoughts:

  • FEMA has come a long way since the incompetent response to Hurricane Katrina.
  • The response at the federal, state and local level has been much more proactive than I’ve ever seen it in the past. Many New England and Northeast states began communicating to cities and towns about the seriousness of the storm almost a week in advance, many declared emergencies as early as Saturday, and many insisted on mandatory evacuations for the riskiest areas.
    • The overall approach is better safe than sorry, even if worst fears about the storm don’t materialize.
Read more

A Chat With Trend Micro: Consumer Security Apps And Services Extend Beyond Security And Privacy

Heidi Shey

I recently attended Trend Micro’s Insight 2012 event for an update on corporate and product strategy from Trend executives, hear from partners and enterprise customers about their experiences working with Trend Micro, and sit down to 1:1's with business unit leaders. I met with Carol Carpenter, EVP of Consumer, who shared a bit about what Trend is doing for consumers and provided demos of their latest Android mobile apps out on the market and in development. Of the ones available now, they are the usual suspects – mobile security, backup and restore, and a password manager. And then, there’s a battery optimizer app. Random? No, not really.

Consumer security has come a long way from simply antivirus software for PCs. Mobile security is undoubtedly on everyone’s minds at this point (oh no! device loss, malware, my apps are spying on me!), but that’s only one factor (albeit a big one) contributing to the evolution of this consumer security market. We’re looking at protecting devices, data, identities, interactions, privacy, the consumer – in short, the online experience. That’s where the umbrella of consumer security expands, and I see apps like Trend’s battery optimizer fitting in. It’s not a “security” solution in the traditional sense, and more of a productivity tool. Consumers gain visibility into what the device and apps are doing (to the battery), and using that information to then make an informed decision (e.g., stop running that app, turn off Wi-Fi, etc) to preserve battery because it’s running too low for comfort.

Read more

OK, Tell Me I'm Wrong!

Edward Ferrara

Everyone knows that in business you need to do two things: Increase top-line revenue growth and reduce bottom line cost. Doing both of these is how companies grow profitably. It really is that simple. Now why is it that Information Security Officers have trouble thinking this way? Read my new paper titled Determine The Business Value Of An Effective Security Program — Information Security Economics 101 - developed for the The S&R Practice Playbook.

In the paper, I argue that we need to associate the value of information security with the value of the information assets we protect. How is this value determined, you may ask? Well, ask away, because in the paper I outline a method to determine that value. It’s simple. We live in an information economy and even though we may be a bank, manufacturer, or a retailer, at the end of the day we wouldn’t be in business without information. In many ways information is what we sell.

Think about it; if we associate information security with asset value defined by the revenue these assets produce, we would understand how to prioritize security effort and we would have a lot more productive conversations at budget time.

Join in the debate, and tell me why this approach couldn’t work in your firm. I want to hear from you.

Information Value and Risk Assessment

Edward Ferrara

 

I just wrote a paper on the value of information security. Please see the paper here. It is something I have thought about for a long time. Information security as a technical discipline but someone has to pay for all this fun we are having. My assumption is that as Willie Sutton is quoted as saying "Go where the money is...and go there often.” Today where organized crime and nation states are going is to information. It is amazingly easy to monetize certain kinds of information. There is a buyer for everything that hackers can steal. The impact to business has been debated for some time and we go to great lengths to perform risk assessments. What we don't do such a good job of is monetizing that risk. 

Consider this. If we can monetize the information asset, we should be able to monetize the risk to that asset. The key to monetizing risk is knowing the value of the asset at risk. Different systems for risk assessment have been in place for some time. They all seem to revolve around professional judgment. My argument is that using a combination of threat modeling (war planning) plus simple asset monetization will allow us to monetize risk. The results will not be perfect, but they should be directionally correct.  As Doug Hubbard says it is better to be directionally correct than specifically wrong[1].



Read more

Information Security Metrics Insanity, The 3Rs And Dashboards!

Edward Ferrara

 

I just finished a research document titled Measure The Effectiveness Of Your Data Security And Privacy Program for the The Security Architecture And Operations Playbook. This was a lot of fun to write, because I was able to look back at the 50-plus interviews conducted over the last year, all of them focused on the security metrics issue. This seems like such a hard question to answer. My conclusion is that many security organizations are measuring the wrong things.

There are several reasons for this.  Here are a few of my observations:

  1. We always measure this.
  2. It’s too hard to get any other data.
  3. Our budgets are fixed so we just do the best we can.
  4. Etc…
Read more

Launching The 6th Annual Forrester & Disaster Recovery Journal Survey

Stephanie Balaouras

 

Each year, Forrester Research and the Disaster Recovery Journal team up to launch a study examining the state of business and technology resiliency. Each year, we focus on a particular resiliency domain: business continuity, IT disaster recovery or crisis management and enterprise risk management. The studies provide BC and other risk managers an understanding of how they compare to the overall industry and to their peers. While each organization is unique due to its size, industry, long-term business objectives, and tolerance for risk, it's helpful to see where the industry is trending, and I’ve found that peer comparisons are always helpful when you need to convince skeptical executives that change is necessary. For better or for worse, it is a fundamental part of human nature to want to go with the herd. For those who are interested, there is a great Freaknomics podcast on the subject called “Riding the Herd Mentality: A New Freakonomics Radio Podcast.”

Read more

The Biggest Risk To BC Preparedness – Third-Party Risk

Stephanie Balaouras

At the recent Disaster Recovery Journal Fall World conference, I gave a presentation of the state of BC readiness. I had some great discussions with the audience (especially about where BC should report), but one of the statistics that really stood out for me and I made it a point to emphasize with the audience, is the state of partner BC readiness.

According to the joint Forrester/Disaster Recovery Journal survey on BC readiness, 51% of BC influencers and decision-makers report that they do not assess the readiness of their partners. If this doesn’t shock you, it should. Forrester estimates that the typical large enterprise has hundreds of third-party relationships – everyone from supply chain partners to business process outsourcers, IT service providers and of course cloud providers. As our reliance on these partners increases so does our risk – if they’re down, it greatly affects your organization’s business performance. And with the increasing availability of cloud services, the number of third parties your organization works with only increases, because now, business owners can quickly adopt a cloud service to meet a business need without the approval of the CIO or CISO and sometimes without the approval of any kind of central procurement organization.

Even among those organizations that do assess partner BC readiness, their efforts are superficial. Only 17% include partners in their own tests and only 10% conduct tests specifically of their critical partners.

Read more

What Are S&R Pros Doing About Data Security And Privacy?

Heidi Shey

Data security consistently tops the laundry list of security priorities because it must. Organizations are collecting data, creating data, using data, and storing data in some way or another. Mishandle data or disregard privacy, and you’ve got a public relations fiasco on your hands with the potential to disrupt business operations or hurt the bottom line.

So, we know that data security is a priority, but what does that mean? What are organizations actually doing here? How much are they spending, and where are they focusing their efforts? And what are they doing about privacy? I’ve dug into data from Forrester’s Forrsights Security Survey, Q2 2012 and data from the International Association of Privacy Professionals (IAPP) to answer these questions in a newly published benchmarks report for our Data Security and Privacy playbook. Note: This is not a shopping list, nor a check list, nor is it a “spend x% on data security because your peers are doing so!” manifesto. This report is meant to be a starting point for discussion for S&R pros within their organizations to take a closer look at their own data security and privacy strategy.

Key findings include:

Read more

Incident Response Isn’t About Point Solutions; It’s About An Ecosystem

Rick Holland

Today EMC announced the acquisition of Silicium Security.  Silicium’s ECAT product is a malware threat detection and response solution.  ECAT did not adopt the failed signature based approach to malware detection and instead leveraged whitelisting and anomaly detection.  Incident response teams can leverage ECAT to quickly identify and remediate compromised hosts.  ECAT joins NetWitness and enVision.  

Read more

When It Comes To Data Security, You Don’t Need A Silver Bullet, You Need A Framework

Stephanie Balaouras

There is truth to the meme, “data is the new oil.” Data is the lifeblood of today's digital businesses, and for economic and even political gain, highly skilled cybercriminals are determined to steal it. Meanwhile, customers around the globe have become highly sensitive to how organizations track, use, and store their personal data, and it's very difficult for security pros to stay one step ahead of changing privacy laws and demands. Plus, as data volumes explode, it's becoming a herculean task to protect sensitive data and prevent privacy infringements (today we talk in petabytes, not terabytes).

Every day, vendors introduce a new product that claims to be the silver bullet to data security challenges. Consider that DLP remains one of the most popular search terms by security pros on Forrester.com. In the case of data security, there is no silver bullet. There is no way to solve the problem without a process framework that outlines how you go about discovering, classifying, analyzing, and then ultimately defending data. Forrester has created a framework to help security pros protect data – we call it the Data Security And Control Framework. If you take a framework approach, you will:

Read more