Security needs to look 10 years ahead
Infosec Europe 2014 Day 1
Security as an enabler was a major theme at the Infosecurity Europe 2014 show in London this week as well as being the title of a dedicated panel session around supporting enterprise innovation and transformation.
One way for security to add value is by using innovative security solutions to enable new lines of business, and panelist Michael Colao, Head of Security, AXA UK commented, “The only place we add value is if we allow the business to offer the services which they do, therefore security needs to be compared to a strategy unit which is looking at where the company will be in 2020 or 2030, what services it will buy or sell and what core activity will it retain. Then you need to figure out how you will be in a position to do that. Eg 10 years ago cloud services were known about and you could have put an app up and checked out what the security requirements might be so as to be ready when the business wants to innovate in that direction.
“New services take three to five years from the lab to market, and a further five years for wide usage, and seven to eight years for the court cased to come out – so we are now getting solid case law for email which was introduced in the 1980s. We need to prepare for the future court cases about the legal and regulatory issues.”
Barney adds, “We are part of the business and should be expect to innovate, for financial and efficiency reasons. So now is the time to look at the security of Google Glass and whether it can add value.“
Colao also saw this as a good example, commenting that his board had looked at the implications of Google Glass in the insurance industry, but that the senior IT people had not looked at it, even though the board were discussing it, hence there was a disconnect that needed to be bridged.”
But while enabling business is largely accepted as a good thing, Andy Jones, CISO Maersk Line questioned the value-add premise, asking, “Are we even tied up with adding value? A lot of what the security function does enables business to happen, but is not about adding value.”
Certainly it became clear that the success of the security function is measured by many things, and a financial contribution may not even apply in many cases, such as hospitals and military defence.
But moderator, Peter Wood, Security Advisory Group, ISACA London chapter emphasised how in retail, security has the ability to lead from the front “adding terrific value in business,” though he too recognised that in sectors where the consequences of breach were more ‘dangerous than lost profit, there is a need to be safer independent of financial return. But as an example of how security can contribute to saving the company money, the introduction of log-in systems allowing a federated identity was cited, simplifying online shopping with one log in to multiple locations.
Lee Barney, head of Information Security, Home Retail Group said that commercially, retail demonstrated how security should be done – it was happy to provide a business case and implement security solutions to enable business, and not just if they are on a compliance list.
For David Cass, SVP, CISO, Elsevier the question is, what is the level of security needed to get a product out there without being vulnerable? – reconciling risk and opportunity - and that is the level of security required. Barney noted that in retail, customers vote with their feet and go elsewhere if you lose their data, so you need to get it right.
Jones pointed out that security capability can itself be a business differentiator, so, working with corporate organisation, if you can say you have invested more in security than your competitors, and are therefore safer as a result, its difficult for competitors to respond quickly, and this can be sold as a benefit. But this increased security needs to be measured and verified. Some panellists suggested follow-up spear-phishing spot checks can provide a metric of success, but Jones rejected this proposal commenting that it was too easy to rig a spear-phishing test to get the result you wanted, hence it was a false metric.
Also, raw spend was not seen as the best metric, if the money had not been spent well. Colao commented, “Companies need to ask, Whats more likely, someone sitting in Starbucks using social engineering to compromise staff, or a crack team of Belorussian crackers attacking their systems? And where do you spend most of your budget tackling – the guy in Starbucks or the Belorussians?” The answer was often that the attacker was in Starbucks while budget concentrated on the Belorussians.
This brought discussion back to the perennial question of how to make boards understand risk based security. Jones said that risk is hard for business leaders outside security to understand, but added,”What they are more likely to understand is fraud and what level is acceptable as in shoplifting, therefore the same ‘overhead applies to security risk, and this analogy makes the issue easier to understand.”
Whether appropriate or not, all agreed that the board wants the level of risk to be financially qualified, thus put into terms they understand.
Colao cited a case of a salesman promoting a solution to block access to porn, as the companys existing systems did not guarantee blocking. Taking a financial approach, it was evaluated that the risk of getting involved in a lawsuit due to staff accessing porn was very low, with perhaps one case every five years possible and none actually seen – with a consequent cost of about £50k, thus the annual risk was £10K, and 80 percent of that risk was covered, so the risk value was about £2k pa. Consequently it was not seen as worth spending the money on a £20k solution.
Valuing risk in money terms enables senior level conversations between the security leaders and the board.