Tuesday, November 07, 2006

When Laws Aren't Enough

CIO Magazine published The Global State of Information Security 2006. The story contained what I consider to be some fairly disappointing results.

Complacency, it seems, abounds. A large proportion of security execs admitted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y're not in compliance with regulations that specifically dictate security measures cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir organization must undertake or risk stiff sanctions, up to and including prison time for executives. Some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se regulations—such as California's security breach law, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Health Insurance Portability and Accountability Act (HIPAA), and non-U.S. laws such as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 European Union Data Privacy Directive—have been around for years. ..

The information security discipline still suffers from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fundamental problem of making a business value case for security. Security is still viewed and calculated as a cost, not as something that could add strategic value and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365refore translate into revenue or even savings.
(emphasis added)

No one spends money on insurance because it "adds strategic value." At best security spending can produce "savings," i.e. avoid losses.

Perhaps cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem is ignorant management?

From 2003 to 2005, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 percentage of survey respondents saying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y had fewer than 10 negative information security incidents in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past year remained steady. But this year, we included cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 option to answer that you do not know how many negative security incidents occurred. This year, nearly one-third of respondents admitted that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y do not know how many breaches or unauthorized access events occurred within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir organizations.

To a certain extent, that's understandable. Attacks can be hard to identify, and networks can be extensive. What's less comprehensible is that a significant portion of respondents said cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have not installed some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most rudimentary network safeguards. Only one-third of respondents have put in place patch management tools or monitor user activity. Less than half use intrusion detection software or monitor log files (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two best methods organizations can employ to detect breaches) and even fewer use intrusion prevention tools. Surprisingly, more than 20 percent of respondents don't even have a network firewall.


Let's assume cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se managers are not being brutally honest, i.e., cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are not recognizing that it can be impossible to know of every incident. Instead, I assume cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are admitting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y just don't have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tools and tactices to measure incidents. That's disappointing.

There is some hope in certain industries.

Companies in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 financial services sector—banks, insurance companies, investment firms—are more likely to employ a CSO than ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r industries. Security budgets in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 financial sector are typically a bigger slice of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IT budget as a whole and increase at a faster rate than in ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r sectors. That may be because financial services companies are more likely to link security policies and spending to business processes. These companies are proactive, instituting formal information security processes such as log file monitoring and periodic penetration tests. More of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir employees follow company security policies. Not surprising, financial services companies also have deployed more information security technology gadgets, such as intrusion detection and encryption tools, and identity management solutions.

It's obvious, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365refore, that financial services organizations are far more likely—almost twice as likely, in fact—to have an overall strategic security plan in place. Consequently, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y reported fewer financial losses, less network downtime and fewer incidents of stolen private information than any ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r vertical.

The reason for all this is also obvious. The product in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 financial services industry is money, and money is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 prime target of cybercriminals, including organized crime, insiders and even terrorists. Protecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 money is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 industry's most critical concern. The past few years have seen a sharp increase in cybercrime (phishing, identity cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ft, extortion and spyware, to name a few). Anytime a security executive can demonstrate to top executives that investing in security can protect and increase shareholder value, he will be more likely to convince cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 boardroom to make that investment and make security a strategic part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organization.

Financial services companies are more likely than enterprises in ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r industries to use ROI to measure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 effectiveness of security investments (29 percent versus an average of 25 percent), and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y also are more likely to use potential impact on revenue to justify investments (36 percent versus an average of 27 percent). These arguments work. More financial services companies saw a double-digit increase in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir 2006 security budgets than those in any ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r sector.

Regulation plays a part too. The financial industry must adhere to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most stringent information security laws, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365refore it leads ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r industries in following proven, strategic information security practices.


I'd like to provide a slightly different interpretation. Financial services companies are used to dealing with threats as well as protecting assets. Everyone has assets to protect, but not until recently has everyone been within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reach of threats. Your risk is zero if you face no threats, no matter how vulnerable you are or how important your assets.

2 comments:

Anonymous said...

it's not complacency. it's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 old adage, why blow cash into security initiatives when nothing has really happened.

Anonymous said...

Richard, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat which causes financials to spent more on it/infosec in many cases is regulators not external attackers. If a company can not demonstrate compliance with an ever increasing list of audit checkpoints on it/infosec (vulnerability), cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is a risk of facing fines or suspention/loss of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company license (exposure).

This is part of why financials are tending to put it/infosec into risk management along with control systems aimed at BASEL II and SOX compliance.