by Khalid Kark
with Jonathan Penn and Alissa Dill

There is a definite chasm between chief information security officers´ (CISOs´) priorities and their
responsibilities. CISOs understand that their priorities need to align with business objectives, yet many
of them remain focused on technology and operations. CISOs need to do more, incorporating business
objectives into their efforts to manage information risk, achieve greater operational efficiencies, and
bolster security awareness and training.

In a recent Forrester survey, information protection and information availability initiatives topped the
list of CISO concerns for 2008 (see Figure 1). For many CISOs, these business priorities are now part of
their core responsibilities and are forced to the top of their agendas by executive management.

CISOs Have The Right Business Priorities, With The Wrong Operational Focus

CISOs are getting their priorities aligned with the business, but many struggle to look at these problems
from a business perspective. A majority of CISOs are still responsible for technical and infrastructure
security and rely heavily on technology to solve all their issues (see Figure 2). They face challenges
coordinating their efforts across business areas and find it hard to balance compliance and security
responsibilities because:

- CISOs continue to view data protection as a technology problem. A vast majority (81%)
of security professionals identified data protection as important or very important for their
organization in the next 12 months. For many CISOs, this means encrypting sensitive data or
deploying information leak prevention technologies. They still ignore or de-emphasize the process
and people elements of data security such as security awareness, monitoring, and auditing processes.

- Business continuity and disaster recovery efforts are disconnected. Approximately 27% of
enterprises don´t have a recovery site in the event of data center site failure, and 23% of enterprises
never test their disaster recovery plans.1 Even for organizations that do have decent disaster
recovery capabilities, the challenge is to align them to business continuity capabilities. Both of these
initiatives remain stovepiped. As a result, an organization may be able to guarantee that it could get
critical servers up and running within 48 hours but may not know if there would be enough people
to run them.

- A lack of process controls hampers application security efforts. Security professionals
grew up in the infrastructure world, and a majority of them struggle with application security
controls. On the other hand, application developers are trained to develop applications quickly
and with minimal performance degradation. To them, security controls slow the application
development process as well as the actual performance of the application. Additionally, the
application security teams don´t report directly to the security organizations, and many CISOs
struggle to get application security processes established as part of an organization´s software
development life cycle (SDLC).

- Regulatory compliance focuses attention on dotting the i´s and crossing the t´s. Many
organizations want to minimize their spending on compliance by meeting the letter of the law
and fulfilling the bare-minimum requirements. This approach may prevent regulatory penalties
in the short run but may prove detrimental to the security and privacy of the organization in the
long run.

- CISOs treat security awareness as a one-size-fits-all endeavor. One CISO confided that, on
paper, 95% of his organization went through security awareness training in 2007; nonetheless,
he was apprehensive about the state of security awareness within the organization. The
reason was that awareness training consisted of the same 90-minute presentation that was
conducted four times per year throughout the organization. Simply attending a generic security
presentation counted as training, regardless of their duties or their exposure to security risks.
This example is representative of the state of security awareness in organizations today.

- Vulnerability and threat management remain reactive. Security is starting to share its
vulnerability management responsibilities with other parts of IT or outsource some of it. Yet
threat management is still a huge gap in many organizations because security professionals view
it as a purely operational activity and miss out on being proactive. As a result, vulnerability and
threat management has stayed very reactive.

Many specific security concerns could be tied together to address a business issue. Instead of looking
at these as individual security projects, it´s best to view them as solving part of a bigger businesslevel
problem for the organization. The three main issues that CISOs need to address are business
alignment, operational efficiency, and training and awareness. These may not all be addressed in
one year, but it´s important to frame them in a business context and define a multiyear strategy to
address them through different security initiatives.

Execute On Business Priorities By Addressing Information Risk

A lot of security professionals are starting to keep tabs on business priorities. The real challenge is
to incorporate those priorities into the security strategy, and more important, to execute on these
priorities to address information risk. The most critical priorities for CISOs are to:

- Ensure data protection for client and corporate data. For many business executives, their
top priority is protecting customer data because, frankly, breaches are very costly. If you
collect sensitive customer data, you´re bound by more than multiple regulatory, legal, and
privacy requirements. In case of a data breach, you incur fines and large sums in identification,
remediation, legal, and opportunity costs.2 Many security professionals also underestimate the
cost of corporate intellectual property breaches. It may not make the headlines, but it potentially
has a catastrophic business impact.

- Prepare and coordinate business resilience activities. Many CISOs view business continuity/
disaster recovery (BC/DR) just in terms of physical crises: fires, floods, hurricanes, or terrorist attack. Yet other business interruptions, such as power outages, data security breaches, hardware
or application failures, or even mergers and acquisitions, can be just as disruptive. You can have
the best BC/DR plan, but it´s useless without preparation, planning, coordination, and effective
response capabilities.3

- Balance regulatory compliance requirements with security considerations. The
misconception that compliance equals security has led organizations to spend excessively on
regulatory compliance, sometimes at the detriment of security. The truth is that it´s possible to
have excellent security and be noncompliant, and it´s possible to pass a compliance audit with
flying colors and still have poor security. It´s the CISO´s responsibility to ensure that compliance
initiatives take a holistic view by incorporating security and privacy requirements.

Develop Operational Efficiency Where You Get Most Bang For Your Buck

Operational efficiency is a laudable goal in general, but due to limited resources, CISOs should focus
on areas that can give them the most visible results upfront. The areas that promise good return on
investment (ROI) and streamlined processes within a reasonable time frame are:

- Application security — taking care of a majority of your vulnerabilities. Symantec´s recent
Internet Security Threat Report shows that 61% of all vulnerabilities discovered in the second
half of 2007 were application related.4 This requires a two-pronged approach: Evaluate existing
and legacy applications for vulnerabilities and introduce application security processes at the
beginning of the development life cycle. Doing the latter can provide up to 30x savings.5

- Identity and access management — reducing excess privileges and lowering costs.
Information security has been managing identities for many years; it has also been responsible
for granting access to information resources. Only recently have these two disciplines
intersected, where the CISO needs to know not only who was on the network, but when she
was, what she did, and much more importantly, if she was allowed to be there. Automating these
tasks reduces human errors and saves a tremendous amount of time for the organization.6

- Vulnerability management — scanning and patching systems. Keeping track of all
information resources, scanning them for vulnerabilities, and ensuring that at least the critical
assets are appropriately patched and sufficiently protected can be very tedious. This objective
can be achieved by deploying a tool or outsourcing it, but make sure that you have regular
scanning and established SLAs for vulnerability management.

Focus On Employee Training To Strengthen The Weakest Link

Security awareness develops a first line of defense for the organization. It´s heartening to see security
awareness appear on the CISO priority list for 2008. Many organizations are realizing that a majority
of breaches occur because of people inside their firewall, but this isn´t just because of the actions of malicious insiders. Security training and awareness ties directly into the effectiveness of other
security initiatives; it´s not an isolated endeavor. Developing an effective security awareness program
significantly mitigates risk.7 This is because:

- Your personnel are a critical line of defense. Incident management equips the organization to
deal with unforeseen events. So a lack of training will result in chaos and confusion at the time
of security breaches. Executive management is not usually trained to coordinate and respond
to security situations that may be out of the ordinary. Another factor that complicates security
incident response is forensic and eDiscovery requirements; if you botch them, you may lose
evidence or the data might be inadmissible in court. Lack of training also leads to unreported
security incidents. Many people don´t know what types of activities should be viewed with
suspicion, nor do they know whether or where to report such incidents.

- Careless or inadvertent worker activity carries significant risks. We have all from time to
time left things on subways, in taxis, or in public places. The stakes are multiplied as we carry
more and more data on our mobile devices. Many CISOs struggle with stolen laptops, PDAs,
and mobile phones that house sensitive corporate information. Many thefts can be avoided by
training people to follow commonsense approaches such as putting their laptop in the trunk
instead of leaving it in plain sight or keeping their laptop close as they check in at the ticketing
counter. Similar training can be provided for data center employees with regard to physical
access, and even regular users can learn to be vigilant in their surroundings.



Alignment with business, protection of corporate and customer data, compliance, and business
BC/DR are not new initiatives for CISOs, so the 2008 priorities don´t herald radical changes. But
they should remind us that we need to make and demonstrate greater progress on what we´re
already doing. This means that you should:

- Develop more comprehensive competencies. Many CISOs point to a lack of skilled people
as one of their major issues.8 As security threats become more sophisticated and the threat
vectors become diverse, security organizations need to have competencies that are deep
and wide. It´s not enough to have deep understanding of encryption technologies; you
also need to understand the basics of human psychology to predict how people would try
circumventing this control or how they could be tricked into giving away their passwords.

- Brace for requests to tighten your belt. One large global organization challenges its IT
staff to reduce IT operations expenses by 30% every year and use this amount for new tools
and technologies. Expect to get similar targets for the information security group, especially
if the economy continues to slow. Many CISOs are facing tough questions as they present
justifications for security spending, and many others are being asked to look at options such as outsourcing for reduced costs and increased competencies.

- Align security and compliance controls. Regulatory compliance does equate to security;
the trick is to balance both simultaneously. For example, if you´ll be encrypting credit card
data for payment card industry (PCI) compliance, look at expanding this to cover personal
information, healthcare information, or corporate intellectual property (IP) as well, so as to
fulfill multiple regulatory, legal, and corporate requirements.

- Look for product suites and one-stop shops. CISOs used to get excited by the coolest
technology and a product with the most bells and whistles. Many have learned the hard way
that those technologies typically don´t integrate well, and they end up with a hodgepodge
of technologies and can´t take a holistic view of the security environment. As a result, many
CISOs now prefer product suites and larger IT vendors for security tools and technologies.

- Use metrics and dashboards for strategic decision-making. CISOs have been looking for a
comprehensive dashboard and metrics tool for some time now because the sheer volume of
data makes this task almost impossible to do manually. Finally, the vendors are beefing up their
reporting and dashboarding capabilities and are providing open APIs and interfaces for others
to connect and exchange information with their technologies. Also, a new breed of products
is popping up that offers the capability to integrate information from different parts of your
environment and provides you information that can help with strategic decision-making.9


1 Source: Business Data Services Enterprise And SMB Hardware Survey, North America And Europe, Q3

2 Trying to determine the cost of a data breach is no easy task. After calculating the expenses of legal fees,
call centers, lost employee productivity, regulatory fines, stock plummets, and customer losses, it can be
dizzying, if not impossible, to come up with a true number. In reality, there are many different factors that
should be part of the data breach cost calculation — and it´s about more than just losing money. Although
studies may not be able to determine the exact cost of a security breach in your organization, the loss of
sensitive data can have a crippling impact on an organization´s bottom line, especially if it is ill-prepared,
and it´s important to be able to make an educated estimate of its cost. See the April 10, 2007, “Calculating
The Cost Of A Security Breach” report.

3 According to Forrester´s Business Technographics® May 2006 North American And European Enterprise
Infrastructure And Data Center Survey, 56% of 1,017 IT decision-makers at North American and European
enterprises said purchasing or upgrading disaster recovery capabilities is either a critical or important
priority during the next 12 months. Investing in advanced recovery technologies and building or sourcing
alternate data centers is one way to improve capabilities, particularly for disaster recovery, but in reality,
most challenges related to disaster recovery and business continuity (BC) are based on process and
procedure. Firms typically lack a centralized BC program office that enforces standards, consistency, and quality across a distributed organization or across hundreds of localized BC plans, and these plans are rarely,
if ever, tested. To address these challenges, more firms are turning to Web-based software to transform their
static BC plans from Word documents and Excel spreadsheets into a more mature BC program. See the
May 30, 2007, “Market Overview: Business Continuity Planning Software” report.

4 Source: “Symantec Internet Security Threat Report: Trends for January-June 07,” Volume XII, September
2007 (

5 Organizations that develop applications in-house have to make a decision: You can wait until someone
exploits vulnerability in your system and fix it, or you can proactively build security early on in your
development process — mitigating vulnerabilities before attackers find them. A proactive application
security program should extend to every relevant phase of the application life cycle, from conception to
operation; program success hinges on commitment and support from executive management. Security
personnel need to work with application owners and business stakeholders to prioritize resources and to
ensure proper measures are implemented throughout the life cycle. See the August 14, 2007, “Managing
Application Security From Beginning To End” report.

6 For examples of how to justify investment in identity and access management products, see the October 22,
2002, “Justifying The 2003 IT Budget: Identity Management Brings Quantifiable ROI To Security” report.

7 Organizations must take a structured approach to security awareness. For more information, see the
December 23, 2005, “Five Steps To Effective Security Awareness” report.

8 In a survey of 2,212 security decision-makers at North American and European companies, 55% rate
“unavailability of people with the right skills” as a “challenging” or “very challenging” issue over the next 12
months. Source: Business Data Services Enterprise And SMB Security Survey, North America And Europe,
Q3 2007.

9 For additional information on the governance, risk, and compliance (GRC) platform market, see the August
7, 2006, “Overcoming Risk And Compliance Myopia” report.


Noter cet article (de 1 = Nul à 5 = Excellent) Valider


Droit d’accès et comptes à privilèges

Jacques Cheminat 0 143292
Equifax, Deloitte, Uber, les récentes violations de données ont souvent des techniques de piratages différentes, mais un élément commun, obtenir l’accès à des applications critiques comme les bases de données, les bases clients, les informations bancaires. En général ces programmes sont soumis à habilitation et rattachés à des comptes à privilèges. leur protection est donc une nécessité dans un monde de plus en plus ouvert et insécurisé. Dossier publié avec le concours de Kleverware.

Événements SSI