Introduction: The Business of Security
Introduction by PatrickE. Spencer, PhD
Director,Publishing and Customer Leverage Programs
Listeningto customers should be the lifeblood of virtually every technology company. As Symantecplaces a premium on the insight and experience of our customers, we believe customersrealize great value when they have a chance to learn from their peers—boththeir successes and mistakes. Hence, we seek to facilitate opportunities to showcasehow customers are leveraging our technologies and services to address myriadbusiness drivers and technology challenges. In particular, with the advent ofnew social media outlets, customers often welcome the chance to collaborate incommunities focused on their specific business issues.
The“Building Confidence in Enterprise Security” monthly blog column and videowebcast series aims to bring together these two objectives. Starting thismonth, SamirKapuria, distinguished principal and director of SymantecConsulting Services, and AndréGold, head of IT risk management at ING U.S. Financial Services, embark oncreating a series of blog columns and video webcast programs focused on thetopic of enterprise security.
“BuildingConfidence in Enterprise Security” addresses various topics related toenterprise security and uses Symantec’sSecurity Blueprint as a lens for examining various topics related toenterprise security, including IT compliance, IT risk management, andoperational security. The blog columns will feature a Q&A format, withKapuria serving as the host and Gold as his resident guest (transcript of anexclusive discussion between Kapuria and Gold). Special guests, from Symantecand outside of Symantec representing various industries and experiences,will be invited as guests for some of the video webcast programs and blogcolumns.
Acritical component of the monthly video webcast series and blog column is an audiencesurvey. The questions each month reflect the topic of the subsequent month’svideo webcast program and blog column. During each video webcast, Kapuria andGold will discuss the results and implications of the survey feedback. Valuing interactionwith their audience, Kapuria and Gold will conduct a drawingfor an Apple Video iPod—of the responses received from U.S. andCanadian residents—each month.
Inthis first blog column, Kapuria and Gold discuss objectives of the larger videowebcast series and blog columns. They also delve into various strategies and trendsin enterprise security such as differences in security strategies acrossdifferent industries and the value of leveraging the Symantec SecurityBlueprint when architecting security strategies and planning. Gold supplies hisinterpretation of the Security Blueprint framework, suggesting that the sevenbasic areas of security, as delineated by the Security Blueprint, break intothree basic categories: strategic, operational, and tactical.
Theconversation concludes with Gold drawing an analogy, telling Kapuria he—likeJohn W. Thompson, Symantec’s Chairman and CEO—is merely a “simple country boy.”He tells Kapuria that he applies this upbringing to his professional career,exercising what he calls “Common Sense Risk Management 101.” He then explains thathis approach to IT risk management embodies three basic characteristics:
1) IT “tech talk” must stay at home with business owners; conversation must be in the vernacular of the business owners
2) IT must align with business challenges and drivers
3) IT must be articulated in practical terms and respect the value and input of business owners
Watchfor next month’s blog column and video webcast program on “Scoping theChallenges of Endpoint Security.” And don’t forget to spend a couple minutestaking the onlinesurvey.
Kapuriaand Gold encourage their audience to read the monthly blog column, listen tothe video webcast, as well as post comments in response to each topic covered. Symantecis quite pleased to sponsor “Building Confidence in Enterprise Security” andlooks forward to a fruitful discussion on a number of enterprise securitytopics between now and our Symantec Visionevent in Las Vegas, Nevada June 9-12, 2008.
SamirKapuria: We know about thenonpublic information protection and privacy trends, among others. From yourperspective, what are the fundamental challenges and drivers that you see inthe financial services industry?
AndréGold: Well, having spent thelast 11 years within the airline industry, I was a little concerned in assumingcharge of a risk management program within financial services, as I wasn'tcognizant of the challenges and drivers unique to that vertical. There are acouple drivers, you know, some that are unique to financial services firms, twoothers that, I think, that are common across industries.
The first one that’s common across industriesis this notion of personalization: our consumerism type of technologies, wherepeople are now introducing devices such as iPods and iPhones to corporatenetworks. We haven't done a good job in planning for these more disruptivetechnologies in the past—specifically in terms of we accommodate these withinour risk management practices.
SamirKapuria: So that is somethingthat, in essence, broadens the attack surface area, and the potential of risksbroadens to your people?
AndréGold: Absolutely. The second thingthat extends—specifically the attack surface—is the notion of what I call informationcontainment. And what do I mean by that? So with information containment a lotof companies are focused on data leakage now—instances where information thatshould reside within your corporation now actually goes out to the Internet viapeer-to-peer networks, emails, and things like that. The other aspect ofinformation containment is information management and managing informationthroughout its life cycle.
SamirKapuria: Okay. So from-from alifecycle perspective, I’m picking up as a key takeaway that people need toconsider the creation of information, the transfer, storage, and destruction ofinformation. Each of these aspects has a critical element.
AndréGold: The third element, butspecifically focused towards ING as a whole, is this notion of growth andmanaging a risk management practice at a time in which your organization is growing.Our CEO has made it very clear that we are shifting gears. And we are now goingout, and we're going to grow, so looking for those mergers and acquisitionopportunities. And so the question is how to manage the variability of risk inthat sort of timeframe.
SamirKapuria: So, within thatgrowth—and you mentioned mergers and acquisitions—it’s commonplace for peopleto do something called due diligence. But from an IT risk managementperspective, do you find companies are now more proactive in assessing therisks they might be absorbing from these target companies?
AndréGold: Well, companies,probably going back about three years ago, have taken a more proactive approachas it relates to assessing companies with which they are conducting business forthings such as payroll, HR, other type of benefits.
Over the past couple years the yields onfinancial instruments are going down, and the margins are thinning out as well.And so what we're trying to figure out now is how do you cut some of thoseoperational costs out as it relates to turning that dollar into maybe $1.05?And then how do you do that under the auspices of running a risk managementpractice at the same time?
SamirKapuria: That last point isactually very interesting because what you're talking about is the convergenceof business and IT risk management. And it sounds like it's a new area that'sdeveloping within the security realm: how do I talk in business language andunderstand the business implications of security or IT risk management. Is itfair to say that businesses are starting to evaluate return on investment—returnon net asset—based on that view?
AndréGold: Yes, I think that's anaccurate statement. I think that, as an industry, we're still a little immatureas it relates to really quantifying a return on net assets or return on income.But I think that in becoming better aligned with the business, and that'sexactly what the business is starting to expect.
SamirKapuria: Switching gears fora second and bring up a new topic, the Symantec Security Blueprint. This wassomething that we put together over the last few years to serve as the RosettaStone to help organizations navigate through the myriad of security standardsout there.
We subsequently came up with some core elementsthat any organization looking to build a security program and enhance theirsecurity program understands as critical: security strategy, securityorganization, operational security, business continuity, network and systemsecurity, application security, and data security.
Now, within these core areas there's anotherelement to consider. And one of those elements is there's a strategic level: that'swhen you're looking at the organization and when you're looking at the overallstrategy for security governance within a company. Then you have an operationallevel, which is the process, protocol, policy side of things that would beoperational security, business continuity, etc. And then the last perspective,you've got a tactical or a technology viewpoint. This is where applicationsecurity, data security, and network and system security come into play.
I'm curious to hear how you see these areasinterconnect and relate?
AndréGold: I think these sevenareas fall into three basic categories: strategic, operational, and tactical.The Security Blueprint does a great job of looking at those foundationalcomponents that make up a risk management practice and grouping those accordingto these three categories. At ING, we're focusing on those key elements.
SamirKapuria: When approachingrisk management from the perspective of business value, how do you optimize theresults with all of these programs in different silos? How do you approach it?Or how would you recommend an organization approaches it?
AndréGold: It is no different forus. Some of those elements that are part of my span of control. And some ofthose elements reside in what we call shirt services and other elements withininfrastructure. I think the key thing here is that as we engage those variousconstituents—in my particular case shirt services as well as infrastructure—weneed to talk in their respective terms. We are very dependent upon thecross-functional relationships that we have within our respective organization.As we engage these various parties that are going to help deliver our riskmanagement practice, we have to be able to communicate risk in a form that theyunderstand, that they consume, and that they can, most importantly, digest.
SamirKapuria: That serves as anexcellent backdrop for my next question. Could you share a little bit aboutyour general risk management methodology?
AndréGold: You know I've heardJohn Thompson say numerous times that he's just a country. And fundamentally,I'm just a country boy as well. As country folk we believe in the simplerthings in life and so my philosophy, as it relates to risk management, is doingthings that make common sense. It's something that I call common sense riskmanagement 101.
So what does that mean? To give an example,when you leave your home each morning, you naturally turn the alarm on and lockthe door. When you go to work and when you get out of the parking lot, onceagain, you lock the door. Subconsciously, it's just engrained within you.You've learned to do that. Subsequently, while you're at work, we do commonthings as well. For example, given the recent number of laptop breaches, itonly makes sense to encrypt laptops nowadays. My approach to risk management alsois based on common sense, not necessarily predicated on any other frameworksthat are out there.
There are four key things that I like to focuson. First is insuring that we have a program that's built upon adding value.Second, we need a program that's predicated on helping the firm meet itsrespective business goals and objectives. Third, as mentioned before, commonsense and practicality are key. And fourth the program has to be strategic. Alot of times from a risk management perspective we do things that are verytransactional, things that are very tactical. I like to form a program that isstrategic, one that looks at some of the challenges that the business is goingto face based upon its given agenda and lays a program that helps the businessmitigate future risk.
SamirKapuria: What is your counselto an organization that's looking to move from the silo’ or tactical approachto something more proactive?
AndréGold: Well, that is a goodquestion, and, as you know, we’re shifting gears, changing tires on the movingbus. I think that the key thing here is to actually be in alignment with thebusiness. Understand the firm's 12 to 18 months goals; there's a lot of thingsthat we can do within the risk management practice that we think are actuallyenabling the business or that are potentially mitigating future business risks.
For an example, I can go divert capital toencrypt all my desktops. But if the firm is out there looking at M&Aopportunities, maybe I should focus on information leakage and how to protectthe content associated with some of these M&A opportunities. My secondrecommendation is to understand the culture. Many times we go out there, and wetake security best practices. And they're not really applicable, or it's veryhard to consume those from an organizational perspective because our culturejust can't withstand that.
SamirKapuria: I'm sure there arevarious stories you could share with us around mistakes that have been madealong the way and how you've course corrected in-in your past experience whiledeveloping this-this sort of program.
AndréGold: We talk about IT riskmanagement, but I think the first and probably the most important key thing isto leave the IT at home. At least leave the IT tech talk at home because thebusiness doesn't understand that. The second thing is to align with IT, don'tthink in terms of technology. Think in terms of the business challenges thatyou have and how you might use people, process, or technology to meet thoserespective challenges. And third, be practical. Understand that your people areyour first and last line of defense.
SamirKapuria: Thank you forsharing your insights, Andre. They've been very valuable.
AndréGold: My pleasure.
Message Edited by The STN Guy on 11-07-2007 10:53 PM