As part of McAfee's participation in E-security Awareness Week, I've spent the last three days talking directly to customers at an Executive Summit we hosted in the Hunter Valley in New South Wales, and gleaned some of the challenges organisations are currently facing.
In the context of what challenges face CxO's and security managers when it comes to better securing corporate networks and managing risk, there is a definite sense of this being a "work in progress". Their call was to make the proposition simpler while providing higher levels of protection and compliance.
These stakeholders understand the evolving complexity and escalation of threats to their organisations and their data. On the one hand they are witnessing a proliferation of "smart" devices, many of which are being carried into the office and connected up to the corporate network without being properly checked for malware or not having the disk encrypted in the event of the device being lost.
On another front, people are making greater use of a plethora of new platforms and services to share information and communicate: Social networking sites, IM, VOIP, Web 2.0, SOA and other style technologies. These have introduced a whole new set of vectors for compromise or data leakage.
At the same time, malware numbers, phishing attacks, targeted attacks 
and general subversion for gain is on the rise in a fascinating pattern of drama that arguably warrants another Harry Potter series. For example, McAfee has seen an increase of 60 percent in terms of malware numbers in 2007 over 2006 and our Avert Labs are detecting upwards of 370 new instances of malware per day.
As I catch you thinking "so what", let's get back to the thinking of the corporate stakeholder. They are acutely aware of their role to appropriately weigh up the aforementioned challenges, represent risk to the business and recommend appropriate responses based on the organisations appetite for risk.
However, many I've spoken to in recent days talk about the challenge of having to justify the money they spend on IT security, and the related challenge of integrating this investment into broader corporate outcomes.
This has been a perennial challenge when it comes to justifying a budget for IT security or justifying the next dollar spent on further measures. There was consensus that there are ways to track and measure both spending and outcomes, provided a strategic and considered approach is adopted.
Applying this type of thinking to the Capability Maturity Model (CMM) which addressed an organisation's definition and maturity of processes, organisations can start to plot their levels of maturity of their security and risk posture while contemplating the commensurate value to the organisation.
The first level, "Secure", involves hardening the attack surface via implementing technologies and procedures into the corporate infrastructure. This requires a mixture of the actual technologies, plus adopting procedures associated with how security technology is updated and refreshed.
Level two, "Compliance", typically covers how organisations set policy and set up about ensuring policy adherence. It must be said that one may be compliant without being secure.
Being "Predictable" is level three and introduces quantitative and qualitative metrics derived from among other things, knowing the state of the physical infrastructure, correlating the IP assets against known vulnerability and threat databases and understanding security procedures and policies. Having meaningful metrics enables a more sophisticated discussion with the business rather than relying on scare tactics to secure their support for the next important project. Not only does this contribute to an improved security and risk posture, but it also aides the often dreaded explanations to auditors, executive management and regulators about how and where due diligence was applied in mitigating threats and protecting customer and corporate data.
Level 4 of this maturity model refers to the concept of "Optimisation" - how integration of technologies begin to reduce overall cost and complexity while adding incremental business value. Organisations want to see more done with less tools, calling for providers to offer multiple layers of protection and levels of compliance from technologies that don't require multiple agents, management consoles and reporting engines.
In a time where there may be a shortage of fear and in places a lack of accountability, adopting a capability maturity approach to security and risk may help us communicate and generate more meaningful business outcomes.
Gavin Struthers is the Australia New Zealand regional director for technology security vendor McAfee.
McAfee is an official partner of the National E-security Awareness Week.
________________________________________________
Visit www.StaySmartOnline.gov.au for details and step by step information on e-security.
Printer friendly version
Comments
CMM not an apt model
I am not sure that CMM is the best model for managing security. CMM was first developed and promoted as an approach to continuous improvement in software development. Software development -- at least as practised by product companies -- is quite different from security. It is a productive enterprise, concerned with converting complex dynamic user requirements into reliable, predictable and yet functionally rich outputs. I'm afraid to say that security in contrast is simply a cost centre. Yes management needs to know about security, but we shouldn't be overdoing it as such.
Security should be treated a cost centre! Security means many things -- risk management, reporting, prevention of losses, forensics etc. But none of these are economically productive activities. Certainly, there are very interesting and complicated leading edge issues in security research, like botnets, account hijacking, new malware, etc. But these should be the province of security companies' R&D teams (who might well benefit from CMM; there is nothing worse than bugs and vulnerabilities in security products!).
In my view, the most important advances that we need in ICT security-in-the-enterprise are relatively straightforward (compared with software development). They include:
- General Management: staff education and awareness around personal security behaviours: password selection, locking or logging off before leaving, clean desk policies, building security, remaining alert to social engineering attacks.
- IT Management: ensuring enterprise IT pays proper attention to perimeter security, content scanning, patching, network design etc.
- Security Industry: continue to embed and automate security technologies into platforms, operating systems and applications; engineer products to be safe out-of-the-box; automate virus updates and patches.
- Policy & Community: take strategic steps to render personal information less valuable; promote long term robust personal security approaches (like widescale smartcards as identity management tokens).
The last step in my view is vital: it would prevent ID theft, not merely react to it. Personal information currently is gold. Credit card details, personal records, government records and the like are being stolen and traded by organised crime at an ever increasing rate (if in doubt, have a look at www.etiolated.org -- it's an eye opener). Our online virtual business systems and networks today are horribly vulnerable, because nobody can really tell if a stream of ID data is real or stolen. As a community we should be taking urgent steps to render stolen data useless. See for example our work on "How to Stop ID Theft" at http://www.lockstep.com.au/technologies/technology_notes.
While the situation remains that stolen ID data is gold, I'm afraid that no amount of policy and regulation and 'maturity' is going to solve the security problem. We need to remove the criminal profit opportunity. Does anyone really think that organised crime cares about ISO 27001, Sarbanes Oxley or CMM?
Cheers,
Steve.
Stephen Wilson is Managing Director of the Lockstep Group.
Lockstep Consulting provides independent advice and analysis on identity
management, PKI and smartcards. Lockstep Technologies develops unique
new smart technologies to address transaction privacy and web fraud.
A question of emphasis.....
I concur that CMM is not a panacea for protecting us from the bad guys, nor to change their sordid ways as they continue to subvert the net for gain. Your comments and contributions about other means to improve security are most pertinent too.
The key angle of my blog was to highlight an increasing demand for metrics to enhance security leaders discussions with the business. These include how organizations may measure improvements to their security, justify how much should be spent on security and to show improvements to an organizations risk posture over time. I refer you to SSE-CMM (SSE-CMM.org) where there is some useful material and valuable insight into how a capability maturity model may be leveraged to improve the process capability of an organization or system security engineering function. The model refers to "quantitative modeling", the ability to generate meaningful metrics against indexes finance people understand. This has been an area of lacking for most organizations.
The SSE-CMM also refers to improving an organization's System Engineering processes "to to gain competitive advantage by continuously improving the effectiveness and efficiency of the systems security engineering processes used by the organization. It involves developing and understanding of the organization's processes in the context of the organization's business goals,analyzing the performance of the processes, and explicitly planning and deploying improvements to those processes". The discussion about whether security should be seen as a cost or a revenue enabler is another interesting topic for another time or a willing blogger ready to share their thoughts on the matter.