Managing Risk in Dynamic Times: g g y
Securely Squeezing Out Cost and
Complexity
K i i L jKristin Lovejoy
Director, IBM Corporate Security Strategy
Global market forces are impacting us all
• Reality of living in a globally integrated world
– Widespread impact of economic downturn and
uncertaintyuncertainty
– Energy shortfalls and erratic commodity prices
– New customer demands and business models
– Information explosion and risk/opportunity growth p pp y g
• Businesses are under increasing pressure to
effectively:
– Manage operational cost and complexity
“We have seen
more change in the
l t 10 th i– Deliver continuous and high-quality service
– Address unprecedented security, resiliency and
compliance challenges
Harness emerging technologies to drive business
last 10 years than in
the previous 90.”
Ad J. Scheepbouwer,
CEO KPN Telecom– Harness emerging technologies to drive business
innovation, efficiency and responsiveness
CEO, KPN Telecom
The world is about to get a whole lot smarter.
Welcome to the Smarter Planet…
Globalization and Globally
Available Resources
Access to streams of
information in real time
Billions of mobile
devices accessing
the Web
Privacy?
New Possibilities. New Complexities. New Risks.
Risk: New technology introduces new
security challenges
• Technology innovations, like virtualization &
cloud computing models, used to enable the
globally integrated enterprise increase
Web Application Vulnerabilities
globally integrated enterprise increase
infrastructure complexity
– Lack of skills, best practices, industry expertise
compounds the security challenge
• Web 2.0 and SOA style composite applications
introduce a new level of complexity
– 54% of all vulnerabilities disclosed in 2008 were web-– 54% of all vulnerabilities disclosed in 2008 were web-
based1
– 80% of development costs are spent identifying and
correcting defects, costing $25 during coding phase vs.
$16,000 in post-production2
1IBM Internet Security Systems: X-Force®
2008 Trend & Risk Report, Jan 2009
2Applied Software Measurement, Caper Jones, 1996
– View into application and information level entitlements
is needed for regulatory compliance
Discussion Question:
- To what extent has introduction of new technologies, like virtualization, changed your approach to
security and compliance management?
Risk: Data volume is exploding
What’s driving this tremendous growth?
Records retention for regulatory and industry
compliance
à Data volumes double every 18 months1
à 37% of data is expired or inactive2
Data Backup and a Disaster Recovery
environment that mirror production data for
business resiliency
Development and test requirements
à Information created, captured, or replicated
exceeded available storage for the 1st time
in 20073
à 70% of the digital universe is created by
individuals3…
Mergers and acquisitions that lead to redundant
systems, data centers, applications, etc.
Technology
à Enterprises are responsible for the security,
privacy, reliability & compliance of 85%3
à Data breach costs $6.6 million on average
and more than $200 per compromised
record4
innovation that makes
it possible to access
more data, quicker
than ever before
eco d
à Average US legal discovery request can
cost organizations from $150K to $250K5
1 “Changing Enterprise Data Profile” IDC December 20071 “Changing Enterprise Data Profile”, IDC, December 2007
2”The Costs of Enterprise Downtime: NA Vertical Markets 2005” International
Research; IBM Market Intelligence
3The Diverse and Exploding Digital Universe, IDC, March 2008
4Ponemon Institute, February 2009
5CIO Magazine, Survey 2007
Discussion Question:
- How have you addressed the information explosion?
Risk: Barbarians are everywhere
• Wireless devices empower individuals to more effectively participate
in the global economy
– Able to send and receive information (audio and video)
– Authentication tool for secure transactions
– Security technology is many years behind the security
used to protect PCs
• Green initiatives lead to increased adoption of
telecommuting strategies
– New breed of security threat: Those that know
no geographical boundaries
• Persistent security threat
– Privileged users with limited skills, following manual process definition, with high
levels of physical and logical access
Discussion Question:
- Have you considered how security can enable a ‘teleworking’ strategy?
Risk: The supply chain is only as
strong as the weakest link
• In an increasingly networked world, enterprises must shore-up
their weakest supply chain partners
• Need to collaborate in monitoring end-to-end security
and respond to threats in real time
– More evenly distributed security responsibilities
– Increased transparency from start to finish
– Eased burden of customer-facing unit
• Growing number of compliance requirements and
industry standards, like the Payment Card Industries
Data Security Standard (PCI-DSS), require partners to
meet certain minimum requirementsmeet certain minimum requirements
Discussion Question:
- How does your organization ensure each link in the supply chain shoulders their fair share of
the load for compliance and the responsibility for failure?
Risk: Expectation of privacy
• Consumer expectation is that security should be built in to
services themselves
– 50% of consumers still avoid online purchases due to fear of financial
information being stolen1
• Expectation drives regulation
• Vendors, like automakers, are expected to take a greater share
of responsibility
• Critical to assess trade-offs consumers are willing
to make against convenience or cost
• Risk of so much security that functionality is lost:
careful not to destroy that which you are trying to
protect!
1Cyber Security Industry
Alliance (CSIA) survey, May 2005
Discussion Question:
- To what extent is privacy driving security spend?
Risk: Compliance fatigue
• Complexity and confusion keep
customers from acting strategically
E t d d l ti hi t t l f– Extended relationships create a tangle of
potential legal liability
– Compliance requirements are inconsistent
within and across geographies
C f i t h t t t– Confusion as to where to start
• Pressure to simply “check the box”
has resulted in creation of silos
– Silos lead to duplicative efforts and
redundant spending as well as reduced
visibility
• The CSO struggles to become a
lt t t th b iconsultant to the business
– Nearly impossible without a central, risk
based view
Discussion Question:
- How much security and compliance control is good enough?
Not all risks are created equal
Frequency of
Occurrences
Per Year
1,000
q
u
e
n
t
Virus
Worms Disk Failure
Application Outage
Data Corruption
Data Leakage
100
10
1
f
r
e
q
System Availability Failures
Application Outage
Network Problem
Failure to meet
Failure to meet
Industry standards
Lack of governance
1/10
1/100
1/1 000n
f
r
e
q
u
e
n
t
P d i
Natural Disaster
Terrorism/Civil UnrestCompliance Mandates
Workplace inaccessibility
Regional Power Failures
1/1,000
1/10,000
1/100,000
$1 $10 $100 $1,000 $10k $100k $1M $10M $100M
i
n
Consequences (Single Occurrence Loss) in Dollars per Occurrencelow high
Pandemic
Building Fire
g
Neither are all Security solutions…
• Find a balance between effective
security and cost
e
– The axiom… never spend $100 dollars on a
fence to protect a $10 horse
• Studies show the Pareto Principle (the
80 20 l ) li t IT it 1
Cost
Complexity
P
r
e
s
s
u
r
e
80-20 rule) applies to IT security1
– 87% of breaches were considered
avoidable through reasonable controls
S ll t f it t l id
Effectiveness
Agility
• Small set of security controls provide a
disproportionately high amount of
coverage
Critical controls address risk at every layer
g y
Time
– Critical controls address risk at every layer
of the enterprise
– Organizations that use security controls
have significantly higher performance*
1W.H. Baker, C.D. Hylender, J.A. Valentine,
2008 Data Breach Investigations Report,
Verizon Business, June 2008
ITPI: IT Process Institute, EMA December 2008ITPI: IT Process Institute, EMA December 2008
The Security Foundation
Manage Identities, Access
d E titl t
Process for assuring access to enterprise resources has been given to the right
people at the right time for the right purpose; also supports monitoring of access
Security Process Description
and Entitlement people, at the right time, for the right purpose; also supports monitoring of access
to resources and auditing for unauthorized or unacceptable use
Protect Data and
Information
Capability that allows for granular protection of unstructured and structured data,
as well as data leak prevention and acceptable use policy monitoring and auditing
Implement GRC
Information and Event Log management capabilities designed to automate the process of auditing, Information and Event
Management
g g p g p g,
monitoring and reporting on security and compliance posture across the enterprise
Address Threats and
Vulnerabilities
Process and capabilities designed to protect enterprise infrastructure from new
and emerging threats
Assure Software and Process for assuring integrity and efficiency of the software development lifecycleSystem Integrity Process for assuring integrity and efficiency of the software development lifecycle
Manage Assets Process for maintaining visibility and control over service and operational assets and their impact on the business
Manage Change and
Configuration
Process for assuring routine, emergency and out-of-band changes are made
efficiently and in such a manner as to prevent operational outagesConfiguration efficiently, and in such a manner as to prevent operational outages
Manage Problems and
Incidents
Managed security operations center or in-house Service Desk solutions designed
to assure incidents are escalated and addressed in a timely manner. Forensics
teams ready to respond to an emergency.
Thank You
IBM: Comprehensive
Security Risk &
ComplianceCompliance
Management
Disclaimer
• The customer is responsible for ensuring compliance with legal
requirements. It is the customer’s sole responsibility to obtain advice
f t t l l l t th id tifi ti d i t t tiof competent legal counsel as to the identification and interpretation
of any relevant laws and regulatory requirements that may affect the
customer’s business and any actions the reader may have to take to
comply with such laws. IBM does not provide legal advice or p y p g
represent or warrant that its services or products will ensure that the
customer is in compliance with any law or regulation.
本文档为【SPO-303】,请使用软件OFFICE或WPS软件打开。作品中的文字与图均可以修改和编辑,
图片更改请在作品中右键图片并更换,文字修改请直接点击文字进行修改,也可以新增和删除文档中的内容。
该文档来自用户分享,如有侵权行为请发邮件ishare@vip.sina.com联系网站客服,我们会及时删除。
[版权声明] 本站所有资料为用户分享产生,若发现您的权利被侵害,请联系客服邮件isharekefu@iask.cn,我们尽快处理。
本作品所展示的图片、画像、字体、音乐的版权可能需版权方额外授权,请谨慎使用。
网站提供的党政主题相关内容(国旗、国徽、党徽..)目的在于配合国家政策宣传,仅限个人学习分享使用,禁止用于任何广告和商用目的。