Building Confidence in Enterprise Security - Show 2
Samir Kapuria: I thought it'd be beneficial to kick this show off with a recap of the three important elements you left us with in the last show.
André Gold: Sure. There are three fundamentals. Two of them are specific to any industry, and the last one is specific to ING. The first is this notion of personalization of IT; things like Smartphones and iPods entering organizations and organizations trying to decide how to deal with those.
The second notion is information containment; ensuring that you're properly managing your company’s data and information to ensure that it doesn't get on IRC networks and other things like that. And then the third notion for us specifically at ING is managing your risk practice, specifically at a time in which we're shifting gears and we're growing.
Samir Kapuria: That actually sets a solid foundation for the focus of this show, which is building your own security blueprint or your IT risk management blueprint. Over the course of many years, we've developed our own blueprint to help organizations simplify interpreting all these standards out there. That's in essence what I believe is the fundamental value a blueprint brings into an organization or the security blueprint in specific. It allows an organization to simplify the overall equation in managing security.
André Gold: Oh, I absolutely concur.
Samir Kapuria: And I think that the three elements here are one of a strategic view, an operational view, which is more focused on people, and a technology or tactical view. Any blueprint that has these three elements addressed sets the organization a good foundation in evaluating its overall capabilities and managing its program.
André Gold: Sure, and I think that's one of the fundamental differences between the blueprint and some of the other frameworks out there. Because strategy is so important, especially having your risk program in alignment with organizational goals. And things like the ISO standard don't really drive home the importance of the strategic element of risk management.
Samir Kapuria: If you wouldn't mind providing some examples? And let's start from the bottom here on the tactical level. So, starting with network and system security, what are some of the common program elements that you find relevant to building a network and security program?
André Gold: So we start talking about some of the foundational stuff, specifically network and systems security. I always think about distilling my policy and my respective standards to understand how I'm going to build safe, secure, hardened information assets.
Samir Kapuria: And so with each of those assets, you try and focus on replicating a system or replicating a standard. So that in essence allows you to devise things like zone architectures or gold disk solutions for specific systems; baseline your environment from an infrastructure standpoint.
André Gold: Right, absolutely.
Samir Kapuria: That makes a lot of sense. And I think that actually leads us to the second area which would be application security. I'm sure you employ similar baselining techniques, but you might use different methods to achieve that.
André Gold: We do. I think when you look at applications, security specifically though, I think that would be the area within most organizations and most risk programs that represent the largest gap. I think from an industry perspective, we still don't do a good enough job in assessing not only our internal applications but the applications that we also procure from third parties to understand the risk that they represent to the firm.
Samir Kapuria: So within that program, a point that you just shared, which I think is important, is there's an internal view and an external view. They're applications that your teams might develop and/or employ a third party to develop. And those are custom maps. They have one element of security or risk management that needs to be applied to them.
And then there are applications that you purchase, or software that you purchase. And before you employ them, you have to understand the risks associated with going to those third parties.
André Gold: Right. Because you can't simply infer because someone else has developed it that it's going to more or less secure than your own internally developed applications.
Samir Kapuria: And also the environment and the platform upon which you install it, even if the software was secure to begin with, your environment might introduce risk based on how it's architected.
André Gold: Fair enough. Correct.
Samir Kapuria: I guess both of these elements roll up into the third area of the tactical elements of the blueprint, which is data security.
André Gold: Sure. And when we think of data security, a lot of times these days we think of encryption. But I've heard encryption one too many times. There haven't been any new encryption algorithms in a long time, and it hasn't been until about the last five years that people have really started encrypting devices. And the reason is, is because encryption is a very daunting task for many organizations to take on.
I think the other element that we look at when we talk about data security is data integrity and ensuring application and data availability as well.
Samir Kapuria: So let's move up the security model now and talk a little bit about the operational layer, the people layer. Often enough, people are the weakest link.
André Gold: But they're your first and last line of defense as well.
Samir Kapuria: Fair enough. Fair enough. You need to leverage that capability that people intelligence brings into an overall organization. Could you share some examples of your operational security programs and how something like that might enhance an overall posture for an organization?
André Gold: That’s a very good question. When you start looking at the operational aspects, you do focus on the people element. And some of the things associated with people would be the creation, the identification, and the management of logical access within your environment, right? So you've now laid this foundation of information assets. You've created a way to distribute products and services to your customer. Now you have to leverage people as the mechanisms to really drive those changes and push that distribution channel. So that's one of the areas that I think about, the provision environment.
The second element that I think about is logging and managing logging and understanding what's occurring within your environment. And I think that's where people come into play. Again, it's because it's the people who understand what's transpiring in your environment, and who can make sense as far as whether or not something is a risk or a benign event.
Samir Kapuria: So for technology, the previous layer we discussed is a way to automate repeatable functions. But the real intelligence comes from this operational security level where people through policy and process apply logic into an overall environment.
When extending that operational layer to business continuity, another pillar of the blueprint here, what are some of the elements that you find are critical in any business continuity program?
André Gold: We always talk about business impact analysis. But let's delve deeper to really understand what that means. That means, who are the critical people? What are the critical assets? When are they needed? And associated with this, what are my availability requirements? That’s the first thing that’s critical
Samir Kapuria: So the key take-away there is understanding the business dependency on IT.
André Gold: Absolutely.
Samir Kapuria: And then the who, the what, and the when to get it done when there is an incident or an impact. So that brings us to the top of the blueprint here focused on security strategy and security organization. Strategy is an area that you've held as a very important element in any program. So if you wouldn't mind sharing some of your experiences around key elements to be incorporated within a security strategy, that would be very helpful.
André Gold: When you look at the security blueprint, there are two key pillars that reside within the strategy level. Those pillars are security strategy and security organization. Now when you start planning your risk management strategy, I think the first thing that you have to do is understand the business strategy, because your risk strategy should be in alignment and a facilitator of the business strategy.
Now let's talk about those two elements, specifically security strategy and security organization. When I think of security strategy, I start thinking of security reference architecture. What are the information assets I want to protect? How do I want to protect them? What are some of the measures that I'm going to use to evaluate how well we are protecting them?
When I get to security organization, I want to understand my business and its organizational structure, because I want to make sure my organization is in alignment to help facilitate the businesses goals and objectives. That means understanding your relationships with people like your general counsel’s office, internal audit, perhaps marketing distribution, and other business units within the firm.
One of the challenges that we as risk officers have sometimes faced related to really garnering capital is that we don't illustrate how our programming, our strategic initiatives, are actually going to help drive the business’s goals and objectives.
Samir Kapuria: So it really comes down to business value and understanding what the business goals and objectives are, being able to interpret them. In essence, you don't own the risk, the business owns the risk.
André Gold: That's correct.
Samir Kapuria: The value provided if a program is architected in the manner that you've described is one where you can provide a lens into what risk the business is absorbing, and the business leaders can evaluate whether or not they're getting the adequate return on that risk.
André Gold: Correct. Correct.
Samir Kapuria: I think we did a good job going through the blueprint from a top-down view and a bottom-up view. For the next section it'd be helpful to go through the blueprint as applied to different vertical industries. So in the first segment we covered the foundation of the security blueprint. In this next segment, we're going to look at the different weights that may be applied to the seven core areas of the security blueprint reflective of the industry an organization is in.
With that as a backdrop, let's start off with the airline vertical. You've got a lot of experience in that space. What would the weights or the areas of priority be on those seven categories for that vertical?
André Gold: I guess I would have some experience after spending a decade in that industry. As you mentioned, the blueprint is applicable to any industry. I think the key difference between financial services, airline, or any other industry for that matter, is the weights associated with the various pillars that make up the blueprint.
For example, security and security strategy is going to always be weighted equally across various industries, in my opinion. But I think there are other elements, such as security operations or perhaps network and system security that will slightly differ. For example, the security operations component in a financial services industry is going to be a lot heavier than in an airline industry. And the reason is because we're managing other people's money and trying to make money. Versus in the airline industry, you're really focused on getting a passenger from point A to point B.
Samir Kapuria: So the nature of the business that you describe in the airline industry might be a consolidated posture on one or two systems. From a technical standpoint, they might be very large centralized systems. Whereas in the financial services industry, those systems might be broken up across a myriad of applications.
André Gold: Right. And when you look at the various systems, you also have to keep in mind the maturity of a respective system. The airline industry is not as old as the financial services industry. A lot of the intelligence within the airline industry is still predicated on legacy and department, specifically the mainframe. And it's only been over the last 15 years that we've really modernized that environment, started using more contemporary technology to deliver products and services to the customer. That being said, in certain areas such as those we've talked about—network and system security—because you have a legacy environment, you don’t have the same need to monitor, to evaluate, and to secure that you would have in a more mature environment like financial services.
Samir Kapuria: And you might also not have the functionality and equipment, because when you're dealing with a legacy environment, some of the functionality built into that technology might also be old. You might not have the capability to meet some of the requirements you would with more modern financial systems.
André Gold: Indeed.
Samir Kapuria: So shifting from airlines and financial services, let's look at some other industries, such as telecommunications.
André Gold: I think the telco environment is very analogous to the airline industry, especially when you start looking at things like their billing system: a very legacy, more arcane environment. From a value perspective, it would probably have very similar weights to an airline industry. But I think as telcos have become a little more modern with their product offerings, such as broadband and things like that, other metrics have now started to increase. For instance, those metrics around network and system security.
Samir Kapuria: Right. When looking at the telco space, the network and infrastructure is the lifeblood of that industry. Therefore the importance of the weight applied to it would be much higher.
André Gold: Agreed.
Samir Kapuria: And in financial services, one can argue that data security and applications security might be of higher value, because that's the closest point to the critical asset.
André Gold: Indeed.
Samir Kapuria: Similarly, in the healthcare vertical where private healthcare information is the main focus or main asset, applications and data security would be of utmost importance.
André Gold: Absolutely. As you mentioned earlier, the key thing is understanding your business, understanding your business objective, as well as knowing what the challenges and opportunities are that you face.
Samir Kapuria: So I think the key take-away here is reflective of an industry someone's in, the weights applied to the seven core areas might change. And that's relative to the business that that organization's in and the assets it finds important. But overall, you start off with strategy being a foundation or a charter for any program. That tends to be the least common denominator that should be applied with this blueprint throughout.
André Gold: Right. How do you know where you’re going the right way if you haven't defined where you're going to begin with?
Samir Kapuria: Now let's change gears here a bit. Let's talk about leveraging the security blueprint from a practitioner's perspective.
When I've seen the security blueprint leveraged in organizations, the one thing that I take away is like that famous quote from, I believe, Mark Twain: I would have written a shorter letter, but I didn't have enough time. I think that’s the same value the blueprint brings to many organizations. It makes the equation simpler.
André Gold: I don't have a quote, and I apologize for that. But I think I have two great examples that illustrate the value proposition of the blueprint. The first one is, about a month ago I was in India with our sourcing crew because I was looking at ways to extend or enhance our risk program, leveraging some of the arbitrage opportunities that exist in India. I spoke to all these providers. They're rich in risk domain expertise. But they didn't understand what it meant to operationalize and consume some of the tactical elements of risk management. Not until I broke out the blueprint and highlighted those elements. Then it was like the light went on, and they said, "Oh, yeah. We can do that."
The second example that I'd use to illustrate the value proposition of the blueprint is recently ING USFS has brought in a new CIO. When I sat down with him this week, he talked about what are the things that we're doing to enhance the risk program for 2008. I started talking about the various initiatives. And he said, "Okay, so what's the value here? What are you enhancing on? What are the risk mitigation activities that you're really sponsoring?" I brought out the blueprint and highlighted the areas on the honeycomb that we're really focusing our core efforts on over the course of the next 12 months. And it was like, "Bingo." He got it.
Samir Kapuria: Excellent. So in essence these are great examples of how the blueprint actually serves as a platform to help communicate and simplify the overall equation.
André Gold: Absolutely. And to extend on the example that I just gave, my CIO is now taking the blueprint and having conversations with the CEOs of the various businesses to illustrate and convey the risk activities that we have going forth.
Samir Kapuria: Those are some great examples of a practical view and how the blueprint's been used in an organization. And one of the key take-aways is how it serves as a communications tool with the business side.
André Gold: One of the reasons I like the blueprint so much is because it's very descriptive. It's very tangible. And it's something that a non-IT or non-security person can grasp and understand where you're going with your risk program.
Samir Kapuria: Well thank you for providing a practitioner's perspective on how it can be useful.
Moving on to the next segment, Let's focus on the results from last month's survey that include overviews on each of the blueprint areas and what the audience felt were the key areas of priority in their own security blueprints.
The first question that we asked was, "For your organization, rate the importance of each of the following core areas of the enterprise security blueprint." And that would be all the seven pillars that we discussed earlier today. The key finding was that security strategy and security organization were on top of the list in terms of importance.
André Gold: Certainly not surprising to me. I think strategy is needed anytime you build out a program.
Samir Kapuria: The second question was, "In your organization, how mature is your security program in each of the following areas?" And the areas that we listed were the seven pillars once again: security strategy, organization, etc. And then the two areas that rose to the top in terms of importance were security strategy and security operations. And I find that interesting, because I think on the operational element, that's a people focus, a process of policy focus.
André Gold: Sure. And I think one of the other things that we want to illustrate is that while Question 1 shows strategy is important, we notice in Question 2 a vast majority of the respondents mentioned that their strategy is not as mature as it should be.
Samir Kapuria: Excellent. I think that point indicates the applicability of a strategy requires having the resources to actually execute against it.
So let's move on to the third question here, which was, "How would the following areas of IT risk management rank in importance to your organization?" And the areas that we focused on in this question were security, compliance, availability, and performance. The two that came to the forefront were security and availability.
André Gold: Sure. You have to keep the systems up, right? And you ought to secure them.
Samir Kapuria: So no surprise there. Moving to the fourth question, "Organizationally, how are the responsibilities for security, compliance, availability, and performance assigned?" Now the real goal of this question, and the reason it was in the survey, was to understand how organizations are structured as relates to these four core areas. No surprise that more than two teams was the majority of the responses that we received here.
André Gold: I believe the reason it's not a surprise is because risk management traditionally is a cross-functional discipline. I believe what it also represents is the need to have a risk officer, inclusive of your traditional chief security officer and chief information security officer functions, as well as things like disaster recovery and the other elements that are highlighted on the security blueprint.
Samir Kapuria: I'd have to echo that sentiment. With the emergence of chief risk officers and that role becoming more in the forefront, it definitely makes sense to have someone or an organization overseeing these individual focus areas.
André Gold: I think it aids companies in doing a better job of managing their portfolio of risks.
Samir Kapuria: Absolutely. Thanks again for participating in this month's survey. Your insights have been very valuable in allowing us to focus on what's relevant to you. We invite you to participate in next month's survey on endpoint security. And we look forward to seeing your input on our blog as well.
Thanks for joining us, André.
André Gold: A pleasure.
Message Edited by Samir Kapuria on 03-13-2008 07:46 PM
Message Edited by Samir Kapuria on 03-13-2008 07:47 PM