[Infowarrior] - Are You Addicted to Information Insecurity?

Richard Forno rforno at infowarrior.org
Wed Feb 4 13:29:48 UTC 2009 

(h/t to multiple sources)

Are You Addicted to Information Insecurity?
Poor security is like nicotine for some companies. Ben Rothke offers  
advice on kicking the habit.
Ben Rothke, CSO
February 02, 2009

http://csoonline.com/article/print/478780

A recent study has a finding that defies reason: close to half of 154  
smokers who had surgery to remove early stage lung cancer picked up a  
cigarette again within 12 months of their operation, and more than one- 
third were smoking at the one year mark.

In fact, 60% of patients who started smoking again did so within two  
months of surgery. The study, led by researchers at Washington  
University School of Medicine and published in Cancer Epidemiology,  
Biomarkers & Prevention confirmed that addictive behaviors are not  
easily changed.

The study's lead author, Mark Walker, Ph.D., a clinical psychologist  
and Assistant Professor of Medicine at Washington University, summed  
it up best when he noted, "Patients are all addicted, so you cannot  
assume they will easily change their behavior simply because they have  
dodged this particular bullet." He concludes that their choices are  
driven by insidious addictive cravings for nicotine.

In the world of IT, far too many organizations are addicted not to  
something as tangible as a cigarette, but instead to insecurity. While  
smokers' actions are driven by cravings for nicotine despite the  
health hazards, information technology's actions are driven by users'  
desire for easy access to data, usability, and quick deployment, with  
a disregard for confidentiality, integrity and availability of that  
data. These organizations typically know the risk of giving short  
shrift to security (many have even been bitten by data breaches and  
malware outbreaks), yet continue with their insecure ways despite  
clear evidence of its hazards. While we are decades into the IT  
revolution, too many companies are still not following computer  
security fundamentals.

While each passing year brings greater and fancier security and  
privacy tools and technologies, not much has changed about how many  
organizations approach information security. In fact, Forbes noted  
that during 2008, banks have lost more of their customers' personal  
data than ever before. Based on this trend, and in light of  
deteriorating economic conditions, by the time the 2009 security year- 
in-review articles are written, there is every likelihood that this  
year will be the worst year on record for information security and  
privacy.

Getting your organization to change its addiction to insecurity won't  
be easy. It is thought that addictive activities produce beta- 
endorphins in the brain, which gives the person a feeling of being  
high. Yet the highs of insecurity can include legal issues, regulatory  
penalties, negative PR, and much more. In order for enterprises to  
make those changes to a secure environment, they need to start by  
executing in the following areas.

Time
At the macro level, becoming secure takes time. While security vendors  
will hype appliances that will be up and running in minutes and other  
security pixie dust, the reality is that creating a secure culture and  
infrastructure takes time. How much time will it take? Think years,  
not months. Sort of like the amount of effort it takes to stop  
smoking. While some can quick cold turkey; the vast majority of people  
require multiple efforts, with numerous resources, over many year.

Many organizations have been insecure for decades or more. Cleaning up  
such a mess can't happen overnight. Organizations need to think of the  
big picture over the long-term. Security and privacy are long-term  
processes that require TLC to do correctly. Some items are quick- 
kills, but overall, security can't be rushed.

The Need for a CISO
The CISO is more than simply the corporate security guru. An effective  
CISO is responsible for strategic planning, skilled negotiating and  
practical problem solving around not just information security, but  
also privacy and risk management.

Only an individual with strong business savvy and security knowledge  
can effectively oversee security planning, implement policies and  
select measures appropriate to business requirements. A good CISO  
should have a deep understanding of technology, combined with an  
understanding of the organization's functions, politics and business  
drivers.

A perfect example of a good CISO is one who realizes the imperative in  
today's environment to secure business applications. Until recently,  
security was all about securing the perimeter. Now, the perimeter has  
collapsed and in some enterprises, completely disappeared.  
Consequently, it is crucial to secure the application.

The most recent Symantec Internet Security Threat Report notes that  
over 60% of today's threats target applications. Far too many  
organizations still focus on the infrastructure and spend a  
disproportionately small amount of time and resources on application  
security.

If you are a new CISO, an excellent guide to use is Gartner's The New  
CISO's Crucial First 100 Days. The report notes that a new CISO must  
make the most of this critical period, because it represents the first  
- and sometimes the last - opportunity to set the enterprise's  
security processes and technologies on an effective course.

The bottom line is that unless an company has an effective CISO who  
oversees, manages and enforces IT security, and who has a seat at the  
boardroom table, the organization will suffer data breaches and  
outages, and become a magnet for attacks.

Risk Management
It is imperative that your security program be based on an effective  
risk management program. Who poses a greater threat to your  
organization: a hacker from Estonia or the temporary CPA in the branch  
office? Unless you have a comprehensive risk management program based  
on the identification, analysis, mitigation and monitoring of your  
risks, you will never know the correct answer. And if you don't know  
that, you will likely be mitigating against non-existent risks.

Khalid Kark of Forrester Research astutely notes that true risk  
management has little to do with technology; it's all about ensuring a  
rigorous process for consistently identifying, measuring, and  
reporting your organization's information risks, as well as having  
regular interactions with business to calibrate the organization's  
appetite for risk.

Ground Troops
War is often started from the air, but the dirty work is fought on the  
ground. Security products are like the Air Force, sleek and powerful.  
But for information security to work, you need ground troops, i.e.,  
security Marines (otherwise known as the grunts from your security  
engineering department).

Not only are security engineers invaluable, they are the difference  
between ensuring that security works and having security hardware and  
software just doing stuff. The single biggest mistake companies make  
is expecting security products to solve their security problems in the  
absence of a good security staff.

Policies, Procedures and Awareness
Security policies are quite simple—they define the aims and goals of  
security to the business.

The follow-on to policies are security procedures. Effective  
procedures (often known as SOP—Standard Operating Procedures) ensure  
that your Chicago firewall administrator, for example, builds and  
configures a corporate firewall in the same manner as his colleague in  
Tokyo.

Organizations that take the time and effort to create formal  
information security SOPs demonstrate their commitment to security. By  
creating SOPs, their costs are drastically lowered (greater ROI), and  
their level of security is drastically increased.

The aviation industry is a good example of an industry that lives and  
dies (literally) via their SOPs. SOPs are built into job requirements  
and regulations. Today's airplanes are far too complex to maintain and  
operate without SOPs Information security might not be as complex as a  
Boeing 777, but it still requires appropriate SOPs.

Security awareness is also essential as information security and  
associated risks are not intuitive to the average end-user. Awareness  
is really important in that it develops a first line of defense for  
the organization. A mistake many CISOs make is that they treat  
security awareness as a one-size-fits-all program. Different people in  
your organization need to be trained differently. It is imperative  
that your awareness program reflect this. Don't use generic templates.

Conclusions
While computer security is a challenge, insecurity is far too  
hazardous for any organization to deal with. The fact that tens of  
millions of credit and debit cards can be compromised, such as the  
recent breach at Heartland Payment Systems demonstrates that insecure  
systems hurts everyone; from the CEO, whose job may be on the line, to  
the consumer, who has to deal with the effects of the breach.

Every security breach is a wake-up call, which too many organizations  
respond to by pressing the snooze button. It's 2009 and organizations  
must start to heed the plethora of security wake-up calls. If not, the  
result will be the predictable, just like the outcome of any addictive  
behavior.

Ben Rothke CISSP, QSA (ben.rothke at bt.com) is a Security Consultant  
with BT Professional Services and the author of Computer Security: 20  
Things Every Employee Should Know (McGraw-Hill Professional Education)  
(McGraw-Hill).

More information about the Infowarrior mailing list