SPO-303

Managing Risk in Dynamic Times: g g y Securely Squeezing Out Cost and Complexity K i i L jKristin Lovejoy Director, IBM Corporate Security Strategy Global market forces are impacting us all • Reality of living in a globally integrated world – Widespread impact of economic downturn and uncertaintyuncertainty – Energy shortfalls and erratic commodity prices – New customer demands and business models – Information explosion and risk/opportunity growth p pp y g • Businesses are under increasing pressure to effectively: – Manage operational cost and complexity “We have seen more change in the l t 10 th i– Deliver continuous and high-quality service – Address unprecedented security, resiliency and compliance challenges Harness emerging technologies to drive business last 10 years than in the previous 90.” Ad J. Scheepbouwer, CEO KPN Telecom– Harness emerging technologies to drive business innovation, efficiency and responsiveness CEO, KPN Telecom The world is about to get a whole lot smarter. Welcome to the Smarter Planet… Globalization and Globally Available Resources Access to streams of information in real time Billions of mobile devices accessing the Web Privacy? New Possibilities. New Complexities. New Risks. Risk: New technology introduces new security challenges • Technology innovations, like virtualization & cloud computing models, used to enable the globally integrated enterprise increase Web Application Vulnerabilities globally integrated enterprise increase infrastructure complexity – Lack of skills, best practices, industry expertise compounds the security challenge • Web 2.0 and SOA style composite applications introduce a new level of complexity – 54% of all vulnerabilities disclosed in 2008 were web-– 54% of all vulnerabilities disclosed in 2008 were web- based1 – 80% of development costs are spent identifying and correcting defects, costing $25 during coding phase vs. $16,000 in post-production2 1IBM Internet Security Systems: X-Force® 2008 Trend & Risk Report, Jan 2009 2Applied Software Measurement, Caper Jones, 1996 – View into application and information level entitlements is needed for regulatory compliance Discussion Question: - To what extent has introduction of new technologies, like virtualization, changed your approach to security and compliance management? Risk: Data volume is exploding What’s driving this tremendous growth? ƒ Records retention for regulatory and industry compliance à Data volumes double every 18 months1 à 37% of data is expired or inactive2 ƒ Data Backup and a Disaster Recovery environment that mirror production data for business resiliency ƒ Development and test requirements à Information created, captured, or replicated exceeded available storage for the 1st time in 20073 à 70% of the digital universe is created by individuals3… ƒ Mergers and acquisitions that lead to redundant systems, data centers, applications, etc. ƒ Technology à Enterprises are responsible for the security, privacy, reliability & compliance of 85%3 à Data breach costs $6.6 million on average and more than $200 per compromised record4 innovation that makes it possible to access more data, quicker than ever before eco d à Average US legal discovery request can cost organizations from $150K to $250K5 1 “Changing Enterprise Data Profile” IDC December 20071 “Changing Enterprise Data Profile”, IDC, December 2007 2”The Costs of Enterprise Downtime: NA Vertical Markets 2005” International Research; IBM Market Intelligence 3The Diverse and Exploding Digital Universe, IDC, March 2008 4Ponemon Institute, February 2009 5CIO Magazine, Survey 2007 Discussion Question: - How have you addressed the information explosion? Risk: Barbarians are everywhere • Wireless devices empower individuals to more effectively participate in the global economy – Able to send and receive information (audio and video) – Authentication tool for secure transactions – Security technology is many years behind the security used to protect PCs • Green initiatives lead to increased adoption of telecommuting strategies – New breed of security threat: Those that know no geographical boundaries • Persistent security threat – Privileged users with limited skills, following manual process definition, with high levels of physical and logical access Discussion Question: - Have you considered how security can enable a ‘teleworking’ strategy? Risk: The supply chain is only as strong as the weakest link • In an increasingly networked world, enterprises must shore-up their weakest supply chain partners • Need to collaborate in monitoring end-to-end security and respond to threats in real time – More evenly distributed security responsibilities – Increased transparency from start to finish – Eased burden of customer-facing unit • Growing number of compliance requirements and industry standards, like the Payment Card Industries Data Security Standard (PCI-DSS), require partners to meet certain minimum requirementsmeet certain minimum requirements Discussion Question: - How does your organization ensure each link in the supply chain shoulders their fair share of the load for compliance and the responsibility for failure? Risk: Expectation of privacy • Consumer expectation is that security should be built in to services themselves – 50% of consumers still avoid online purchases due to fear of financial information being stolen1 • Expectation drives regulation • Vendors, like automakers, are expected to take a greater share of responsibility • Critical to assess trade-offs consumers are willing to make against convenience or cost • Risk of so much security that functionality is lost: careful not to destroy that which you are trying to protect! 1Cyber Security Industry Alliance (CSIA) survey, May 2005 Discussion Question: - To what extent is privacy driving security spend? Risk: Compliance fatigue • Complexity and confusion keep customers from acting strategically E t d d l ti hi t t l f– Extended relationships create a tangle of potential legal liability – Compliance requirements are inconsistent within and across geographies C f i t h t t t– Confusion as to where to start • Pressure to simply “check the box” has resulted in creation of silos – Silos lead to duplicative efforts and redundant spending as well as reduced visibility • The CSO struggles to become a lt t t th b iconsultant to the business – Nearly impossible without a central, risk based view Discussion Question: - How much security and compliance control is good enough? Not all risks are created equal Frequency of Occurrences Per Year 1,000 q u e n t Virus Worms Disk Failure Application Outage Data Corruption Data Leakage 100 10 1 f r e q System Availability Failures Application Outage Network Problem Failure to meet Failure to meet Industry standards Lack of governance 1/10 1/100 1/1 000n f r e q u e n t P d i Natural Disaster Terrorism/Civil UnrestCompliance Mandates Workplace inaccessibility Regional Power Failures 1/1,000 1/10,000 1/100,000 $1 $10 $100 $1,000 $10k $100k $1M $10M $100M i n Consequences (Single Occurrence Loss) in Dollars per Occurrencelow high Pandemic Building Fire g Neither are all Security solutions… • Find a balance between effective security and cost e – The axiom… never spend $100 dollars on a fence to protect a $10 horse • Studies show the Pareto Principle (the 80 20 l ) li t IT it 1 Cost Complexity P r e s s u r e 80-20 rule) applies to IT security1 – 87% of breaches were considered avoidable through reasonable controls S ll t f it t l id Effectiveness Agility • Small set of security controls provide a disproportionately high amount of coverage Critical controls address risk at every layer g y Time – Critical controls address risk at every layer of the enterprise – Organizations that use security controls have significantly higher performance* 1W.H. Baker, C.D. Hylender, J.A. Valentine, 2008 Data Breach Investigations Report, Verizon Business, June 2008 ITPI: IT Process Institute, EMA December 2008ITPI: IT Process Institute, EMA December 2008 The Security Foundation Manage Identities, Access d E titl t Process for assuring access to enterprise resources has been given to the right people at the right time for the right purpose; also supports monitoring of access Security Process Description and Entitlement people, at the right time, for the right purpose; also supports monitoring of access to resources and auditing for unauthorized or unacceptable use Protect Data and Information Capability that allows for granular protection of unstructured and structured data, as well as data leak prevention and acceptable use policy monitoring and auditing Implement GRC Information and Event Log management capabilities designed to automate the process of auditing, Information and Event Management g g p g p g, monitoring and reporting on security and compliance posture across the enterprise Address Threats and Vulnerabilities Process and capabilities designed to protect enterprise infrastructure from new and emerging threats Assure Software and Process for assuring integrity and efficiency of the software development lifecycleSystem Integrity Process for assuring integrity and efficiency of the software development lifecycle Manage Assets Process for maintaining visibility and control over service and operational assets and their impact on the business Manage Change and Configuration Process for assuring routine, emergency and out-of-band changes are made efficiently and in such a manner as to prevent operational outagesConfiguration efficiently, and in such a manner as to prevent operational outages Manage Problems and Incidents Managed security operations center or in-house Service Desk solutions designed to assure incidents are escalated and addressed in a timely manner. Forensics teams ready to respond to an emergency. Thank You IBM: Comprehensive Security Risk & ComplianceCompliance Management Disclaimer • The customer is responsible for ensuring compliance with legal requirements. It is the customer’s sole responsibility to obtain advice f t t l l l t th id tifi ti d i t t tiof competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the reader may have to take to comply with such laws. IBM does not provide legal advice or p y p g represent or warrant that its services or products will ensure that the customer is in compliance with any law or regulation.