“To succeed, Security & Risk leaders need to be part of the business strategy.” If I had a nickel for every time I’ve heard someone give some variation on that piece of advice, I’d be rich. As you all know, that’s an easy thing to say but a difficult thing to do. And that’s particularly true now, because our business leaders today are prioritizing growth – they’re entering new markets and releasing new products and services to grow revenue. Your business will unleash the creativity of its entire extended enterprise ecosystem – employees, partners, suppliers, and current customers – to find new ways to win and serve new customers. And your extended enterprise will connect via mobile and social applications and use cloud services.
It’s interesting how many threads there are on the Internet that still debate the difference between these two words: “responsible” and “accountable.” Oddly enough, today I stumbled across two definitions, from seemingly respectable sources, that hold diametrically opposite views! To me, the answer is simple – you can delegate responsibility, but accountability remains fixed.
This is a key point in the extended enterprises in which we now function. Firms are now made up of a myriad of offshore and outsourced services, running on systems that are similarly fragmented and distributed across vendors. This complex tangle of people and data represents a huge challenge to the CISO, who remains accountable for the security, and often the compliance, of his employer yet is no longer responsible for their provision.
With a methodical and comprehensive process and a surfeit of resource (please stop laughing at the back!), the CISO does, however, have the ability to follow the data trails and manage risk down in this regard. Unfortunately, with the advent of cloud, things are taking a turn for the worse. Cloud vendors are reluctant to be scrutinized, and the security and compliance demands of the CISO can often go unanswered. If cloud really is to be a mainstay of computing in the future, something has to give – we need to find a balance where compliance and security assurance requirements are met without fatally undermining the cloud model. This is a key topic for 2012 and something we’ll be following with interest.
As security professionals, we remain accountable for resolving these issues, no matter how much responsibility has been pushed to third parties and cloud vendors. So, how do you minimize the workload involved in managing the third parties that make up your extended enterprise, and how do you gain assurance around cloud vendors?
Forrester's Security and Risk Management clients often describe the frustration they feel when they are not included in important initiatives until after decisions have been made. Lately, this situation has been especially pronounced among decisions to enter partnership agreements based on service, performance, and cost considerations... with risk management only brought in later to identify and mitigate potential points of exposure.
At the same time, Forrester's Sourcing and Vendor Management professionals find themselves facing their own challenges when it comes to managing the risk of partner relationships. In a Q3, 2011 suvey of 575 Sourcing and Vendor Management professionals, top concerns related at "X-as-a-service" relationships included the lack of recourse if a vendor fails or goes out of business, the lack of a clear way to assess risk of a third party, and inability to manage how providers are handling data. ( Source: Forrsights Services Survey, Q3 2011)
In order to bridge this gap, Security and Risk Management professionals need to deliver a streamlined way to insert risk identification, analysis, and evaluation steps within their organization's existing vendor management lifecycle. Forrester customers who have taken this approach - for example, by introducing short, 10-15 question surveys to determine whether more detailed vendor risk assessments are warranted - report better oversight of vendor risk and better involvement in the decision making process. In some cases, Security and Risk Management professionals have even reported casting a decisive thumbs-down vote to block a new vendor contract because it represents unacceptable risk.
According to our survey data dating back to 2008, despite year after year of high profile security breaches from Heartland Payment Systems to Wikileaks to Sony, security budgets have only increased by single digits. This is hardly enough to keep up with the increasing sophistication of attacks, the avalanche of breach notification laws and the changing business and IT environment.
The changing business and IT environment is perhaps the greatest concern. With a massive explosion of mobile devices and other endpoint form factors and an ever expanding ecosystem of customers, partners, clouds, service providers and supply chains, you increasingly have less and less direct control over your data, your applications and end-user identities. We refer to this expanding ecosystem as the “extended enterprise.” An extended enterprise is one for which, a business function is rarely, if ever, a self-contained workflow within the infrastructure boundaries of the company. We believe that the extended enterprise is such a major shift for CISOs and security professionals that we dedicated our upcoming Security Forum to it as well as a significant stream of research.
Today IBM announced plans to acquire the Fitch Group’s Algorithmics, a heavy-hitter in financial risk management software and services market, for $387 million.
Here are my initial thoughts about today’s announcement:
IBM is making a (relatively safe) bet that operational and financial risk functions will continue to comes together. Regulatory pressures from Basel III, Dodd-Frank, and Solvency II, as well as the competitive realities of the global market, are pushing for banks and insurance companies to have more comprehensive oversight of exposure across all domains of risk. In fact, analytics should be a top priority of any compliance program. It will be some time before IBM (or any other vendor) can deliver a single platform to manage operational, credit, market, liquidity, etc. in one place; however, the addition of Algo’s subject matter expertise and even basic integration of data for a single source of reporting offers customers attractive benefits.
IBM still faces heavy competition in financial services for both operational risk with its OpenPages product and financial risk with its new Algo offerings... however. there are very few significant competitors that have strength in both. IBM’s announcement today was a strong move against these other few, most notably Oracle and SAS.
The cyberinsurance market today represents only a tiny segment of the overall insurance industry, and a recent Forrester paper on the topic identified that only a very small percentage of organizations that have purchased business insurance have also purchased cyberinsurance. Many insurance companies, however, are now estimating a period of significant growth in this area, and recent conversations suggest that more companies are either interested in this coverage or have recently purchased such policies.
I'm interested to know where your organization sits on this topic. If you have a minute, please respond to our short poll on the topic.
You can find the poll in the right column of this page, below the “About the Analyst” or “About this Blog” section.
“There is no enterprise — the work we do is a collection of people that dynamically changes through a mix of organization control.” That’s what I heard from one venerable old construction company while working on my new research report, Protecting Enterprise APIs With A Light Touch. I wanted to investigate how enterprises are using and securing lightweight RESTful web services, and in particular to figure out the problems for which OAuth is well suited. (You might recall my request for feedback in a prior post.)
What I found was that forward-thinking enterprises of many types – not just hip-happenin’ Web 2.0 companies – are pushing service security and access management to the limit in environments that can truly be called “Zero Trust,” to use John Kindervag’s excellent formulation. This particular firm dynamically manipulates authorizations to control access to a variety of innovative lightweight APIs on which the whole company is being run, not actually distinguishing between “internal” and “external” users. They’ve kind of turned themselves inside-out.
The importance of data security throughout the supply chain is something we have all considered, but Greg Schaffer, acting deputy undersecretary of the Homeland Security Department of the National Protection and Programs directorate at the Department of Homeland Security, recently acknowledged finding instances where vulnerabilities and backdoors have been deliberately placed into hardware and software. This is not a risk that hasn’t been previously pondered as, in 1995, we watched Sandra Bullock star in ‘The Net," and address this very issue. However the startling realism of Mr. Schaffer’s admission means that it can no longer be categorized as a "hollywood hacking" or a future risk.
The potential impact of such backdoors here is terrifying and it is easy to imagine crucial response systems being remotely disabled at critical points in the name of financial or political advantage.
If we are dedicated to the security of our data, we must consider how to transform our due diligence process for any new product or service. How much trust can we put in any technology solution where many of the components originate from lowest cost providers situated in territories recognized to have an interest in overseas corporate secrets? We stand a chance of finding a keylogger when it’s inserted as malware, but if it’s built into the chipset on your laptop, that’s an entirely different challenge… Do we, as a security community, react to this and change our behavior now? Or do we wait until the risk becomes more apparent and widely documented? Even then, how do we counter this threat without blowing our whole annual budget on penetration testing for every tiny component and sub-routine? Where is the pragmatic line here?
Many IT security pros are moving toward disruptive new authentication and authorization practices to integrate securely with cloud apps at scale. If you’re considering such a move yourself, check out my new report, The “Venn” of Federated Identity. It describes the potential cost, risk, efficiency, and agility benefits when users can travel around to different apps, reusing the same identity for login.
Aggregate sources of identities are large enough now to attract significant relying-party application “customers” – but the common currency for identity data exchange varies depending on whether the source is an enterprise representing its (current or even former) workforce, a large Web player representing millions of users, or other types of identity providers. These days, the SAML, OAuth, and OpenID technologies are the hard currencies you’ll need to use when you participate in these identity markets. You can use this report to start matching what’s out there to your business scenarios, so you can get going with confidence.
Many IT end-user companies deployed hard tokens at a time when intermediate-risk choices were thinner on the ground, and some of these companies would have benefited from a more granular approach anyway. In general, we are seeing companies moving towards risk-based authentication augmented by mobile soft tokens (sometimes called from a mobile application through an API). These software-only solutions are easier and cheaper to deploy, particularly if the target population is on smartphones, and a lot easier to patch in case of an attack. Interestingly, risk-based authentication is now asked about not only in the B2C context (which was a norm about a year ago), but also in the B2E context as well. Right now, end-user companies are thinking about:
How they can ditch hardware tokens altogether; and
How can they can move risk-based authentication, and increasingly authorization (fraud management), into the cloud.