security function reabsorbed into it reduce enterprise risk

Cover Story | Global Information Security BUSINESS TECHNOLOGY LEADERSHIP The 5th Annual GLOBAL STATE of INFORMATION SECURITY TheEndof INNOCENCE Fiveyearsago, whenCIO andPricewaterhouseCooperscollabo ratedonthefirst“GlobalStateofInformationSecurity”survey, very few people knew how bad the problem was. Now everyone knows. Theyjustdon’t know howto fix it. By scott B erinato A wareness of the problematic nature of information IT dollar spent, 15 cents goes to security. Security staff security is approaching an all-time high. Out of every of 7,200 respondents on six continents, you see the information security problem more clearly than ever before. You’re seeing it because you’ve created tools and systems in order to see it. For example: is being hired at an increasing rate. Surprisingly, however, enter - You’ve added processes. Three years ago, only 37 percent of com - panies reported having an overall security strategy. This year, 57 percent did. Also, nearly four out of five companies conducted prise security isn’t improving. For the fifth straight year, CIO, CSO and PricewaterhouseCoopers enterprise risk assessments, at least periodically. You’ve deployed technology. Nine out of 10 respondents said they (PWC) present select results and analysis from the “Global State of Information Security” survey, the world’s largest, most comprehen- use firewalls, monitor users and rely on intrusion detection infrastructure, and that number approached 98 percent when responses sive annual information security survey. And the first question to ask is, Are you feeling anxious? were limited to larger companies (more than $1 billion in revenue). Encryption is at an all-time high, with 72 percent reporting some Are you feeling the disquiet that comes from knowing there’s no reason why your company can’t be the next TJX? The angst of knowing that these modern plagues—these spam e-mails, these use of it (compared to 48 percent last year). You’ve hired people. The number of CISOs and CSOs employed bots, these rootkits—will keep coming at you no matter how much time and money you spend trying to Reader ROI continues to rise. And the mean number of information security workers per company :: Whythesecurity function is stop them? The chill that comes from knowing how much you don’t know? being :: Whysecurity reabsorbed into IT has topped 100, most likely due to more out- sourcing and the use of contract employees. needs tobecome ing to the 2007 survey, a comprehensive canvassing Yeah, you’re feeling it. You’re feeling it because you’re seeing it. Accord- :: Why America proactive is toreduce outsourcing arisky enterprise to Latin proposition risk You’ve crafted an infrastructure for understanding. You’re seeing it, and that’s why you’re feeling it. You’re undergo- Cover Story | Global Information Security ing a shift from a somewhat blissful ignorance of the serious flaws in computer security to a largely depressing knowledge of them. We’ve Seen the Enemy; It’s You This year marks the first time “employees” beat out “hackers” as the most likely source of a security incident. Executives in the security Awareness may be at an all-time high, but awareness doesn’t equal improvement, and awareness doesn’t bring happiness. The sad fact is that the strides made to date have not crossed the thresh- field, with the most visibility into incidents, were even more likely to name employees as the source. old from seeing to fixing. “That next level of maturity has not been reached,” says Mark n Likely Sources of Incidents Lobel, a principal with PWC’s advisory services. “We have the technology but still don’t have our hands around what’s important and Recognition of the insider threat is a sign that awareness is increasing, largely due to the controls that have been put in place over the past five years. what we should be monitoring and protecting. Where’s that console that says, ‘Hey, credit card numbers are crossing the firewall and Who attacked u ? 2007 Secur S I this is a PCI issue that has a real business impact?’” Read on for more on what awareness has led to and other insights e xecut I 2006 2007 on L y Employee/former employee 51% 69% 84% from the “Global State of Information Security 2007” survey. Hacker 54% 41% 40% “I See,” Said the Blind Man Five years ago, 36 percent of respondents to the “Global State of Information Security” survey reported that they had suffered Have employees suddenly turned more malicious? Are inside jobs suddenly more fashionable and productive than they used to be? Probably not. Most security experts will tell you that the insider zero security incidents. This year, that number was down to 22 percent. threat is relatively constant and is usually bigger than its victims suspect. None of us wants to think we’ve hired an untrustworthy Does this mean there are more incidents? We don’t think so. We believe it simply means that more companies are aware of the inci - dents that they’ve always suffered but into which, until recently, person. This spike in assigning the blame for breaches and attacks to they had no visibility. Those once inexplicable network outages are now known to be security incidents. Perhaps a spam outbreak employees is probably more like the dip in companies that report zero incidents—a reflection of awareness, of managers’ ability to wasn’t considered a security incident before, but now that it can deliver malware, it is. Awareness is higher, and that’s because com- recognize what was always there but what they couldn’t previously determine. panies have spent the past five years building an infrastructure that creates visibility into their security posture. “What’s happening is we’re doing a better job with logging and understanding situations,” says Ron Woerner, former information security manager at ConAgra Foods, now security engineering n the Infrastructure Is in Place consultant at TD Ameritrade. “For a while, I think, ignorance was bliss. Now, with all the technology in place, we’re learning that we Baseline deployment of people, process and technology continues to rise steadily, sometimes dramatically. Among those companies that don’t have all have the same problems.” Here’s how building a security infrastructure can lead to more these techniques in place, the priority for adding it is remarkably low, indicating that most people who think they need these things now have them. employees named as culprits in security incidents. A CISO is hired. He has the tools to investigate internal network anomalies and the Pr IorIty Peo PL e: you have a... 2006 2007 for 2008 authority to ask business unit leaders to provide him with infor - mation for an investigation. His deployment of user-monitoring CSO CISO 21% 22% 28% 32% 13% 17% tools helps him identify insider threats. Then he centralizes security information management software that automatically detects CPO 16% 22% 14% anomalous network behavior. Then maybe he adds a periodic risk assessment process (another trend on the rise, according to the Proce ou have... SS e S : y An overall security strategy 37% 57% 13% survey) and suddenly his office is finding previously unknown vulnerabilities being exploited. Perhaps he adds an anonymous A baseline for customers /partners 25% 42% 10% Centralized SIM 34% 44% 11% t echno ogy: ou de oy... L y PL e-mail/hotline function for whistle-blowers. With all of this and more in place, a company has increased its odds of detecting secu- Firewalls 77% 93% 15% EncryptionIDS/A-V/other detection* 43% 57% 72% 90% 25% 28% rity incidents. But here’s an odd paradox: Despite the massive buildup of peo- Data backupUser security /ID management* 78% 73% 82% 89% 14% 33% ple, process and technology during the past five years, and fewer people reporting zero incidents, 40 percent of respondents didn’t IPS /filters* 44% 83% 22% know how many incidents they’ve suffered, up from 29 percent last year. Internet security* 31% 70% 14% * Beforehighestcategory. 2007, percentage these given categories The rate of “Don’t know” for the type of incident and the primary method used to attack also spiked. for one were of the not subcategories consolidated. Cover Story | Global Information Security What You Don’t Know… Could Fill Volumes all the potential problems. You see that maybe you were spending money securing the wrong things. You see that a good employee n I d unno with good intentions who wants to take work home can become a security incident when he loses his laptop or puts data on his home Increasingly, those involved in information security reply “Don’t know” when asked about the number and nature of security incidents. computer. There’s so much out there, it’s overwhelming.” Woerner and others believe that the security discipline has so 2006 2007 2007 o/ c IS o cS far been skewed toward technology—firewalls, ID management, intrusion detection—instead of risk analysis and proactive intel- Type of attack Number of incidents 29% 26% 40% 45% 32% 29% ligence gathering. If most of the investment has been put into technology, most of Primary method used 26% 33% 20% the return will come from there too. The tools will do their job. They will tell you what’s happening and block the most ham-fisted attacks. It doesn’t bode well that after years of buying and installing systems and processes to improve security, close to half of the respondents didn’t have a clue as to what was going on in their But technology is largely reactive. It provides alarms and ex post facto reports of anomalies. Intrusion detection, for example, is not own enterprises. But when close to a third of CSOs and CISOs, who presumably should have the most insight into security incidents, terribly effective at threat intelligence—understanding the nature of vulnerabilities before they affect you. All IDS boxes know is that said they don’t know how many incidents they’ve suffered or how these incidents occurred, that’s even worse. some preset rule has been broken. Think of a glass break sensor on a window at a museum. That piece of technology is extremely effec- The truth is, systems, processes, tools, hardware and software, and even knowledge and understanding only get you so far. As tive at telling you that someone broke the window; it does nothing to explain how and why a painting was stolen, nor can it help you Woerner puts it, “When you gain visibility, you see that you can’t see prevent the next window from being broken and the next painting from being snatched. Conventional Wisdom somewhatconfident inyoursecurity, but when Furthermore, even a cursory look at security trends demonstrates that adver- youwere askedaboutpartners andvendors, the numberdropped tobetween 70percent and75 saries, be they disgruntled employees or hackers, have percent.Remember, you’re someone’s partner Five truths that have emerged from five years of the “Global State of andhe’snottoothrilled about you either. far more sophisticated tools than the ones that have been Few are cocky. Aboutonein12 ofyou think Information Security” survey veryhighly ofyourselves. Since 2003, the num put in place to stop them. Antiforensics. Mass distribu- ­ Afterfiveyearsofconductingthe StateofInformationSecurity” wehavenotedsomecritical trendsin survey, “Global ritypolicies berofrespondentswhoclaimed theiruserswereincompliance hovers around with 8percent. 100percent their secu of tion of malware through compromised websites. Botnets. ­ information security.We’vealsouncoverednon­ trends—numbers Size doesn’t matter. Company size does not Keyloggers. Companies may have spent the past five years thatremain soconstant and affectspending.Whentheinformation security building up their security infrastructure, but so have the predictable thatwecannowcall them conven ­ budgetismeasured asapercentage of the IT tionalwisdom.Here,then, arefivepieces of wis­ budget,itremainsconstant nomatter how many bad guys. Awareness includes a new level of understanding dombasedonnumbersinthesurvey that never employeesacompanyhasorwhat its revenues tochange. Spending lags.You’realways seem are.Sizeofcompanymatters less insecurity of how little you know about how the bad guys operate. As about10percent spendingthaninindustry. Technology compa ­ happierwithsecuritypolicy’salignmentwiththe businessthanyouarewithsecurityspending’s niesspendthemost;nonprofits andeducational arms races go, the bad guys are way ahead. enterprises spend the least. alignment.Overtheyears, roughly85percent Banks lead. Financial services companies ofyou business, arecompletely havesaidthat orsomewhat whilejust75percent yoursecurity aligned said policies that with the about areattackedmorebutsuffer years,respondents inthemoney reportedmoresecurityincidents less. Over business without the have an Why You Have to Change Your Strategy spending.Afterall,whodoesn’twant more appreciable increase inlosses ordowntime as What can be done about all this? Be strategic. Security investment must shift from money? Partners too.You’remore aresult.Theydothisdespite nothaving sig­ confidentin your ownsecuritythanthatofyourpartners,sup nificantlylargersecurity ­ Thefinancialsectormodels budgets than bestpractices. others. See the technology-heavy, tactical operation it has been Onceagain,around80 percentto85percentofyouwereeitherveryor pliersandvendors. The_Global_State_ of_Information_Security/5. –S.B. to date to an intelligence- centric, risk analysis and Cover Story | Global Information Security “We have to start addressing the human element security, not just the technological one.” –Ron Woerner, security engineering consultant, TD Ameritrade mitigation philosophy. Information and security executives should, for example, be put- n reporting to I Respondents have some reporting relationship to the following groups ting their dollars into industry information sharing. “Collaboration is key,” says Woerner. They should invest in security research 2006 2007 2007 (>$1B r evenue) and technical staff that can capture and dissect malware, and they should troll the Internet underground for the latest trends and IT Neutral 41% 76% 79% 53% 60% 68% leads. Dozens of security companies do just this and provide sub - scriptions to research services. Security 44% 46% 48% “We have to start addressing the human element of information security, not just the technological one,” says Woerner. It’s only then that companies will stop being punching bags. Only then will they A 12 percent rise in the number of security executives reporting to IT is hugely significant. And when you slice that by large companies, it’s a 19 percent rise. Notice, too, that bigger companies show fewer be able to hit back. information security executives reporting to neutral functions. M. Eric Johnson, an economist who specializes in information IT Strikes Back security issues at Dartmouth College, says, “We actually analyzed the org charts, and the solid-line relationships are going back to IT Speaking of striking back, the 2007 security survey shows a remarkable (some might say troubling) trend. and the CIO. CISOs have gobs of dotted line relationships, but IT is dominating reporting structures and the budgets.” The IT department wants to control security again. In the first year of collaboration on this survey (see.com/ Indeed, the trend is even more pronounced when you follow the money trail. article/29841), CIO, CSO and PWC noted that the more confident a company was in its security, the less likely that company’s security group reported to IT. Those companies also spent more on security. The reason CIO and CSO have always advocated for the separation n Security d ollarsc ome from I Funding for information security comes from (could check more than one) of IT and security is the classic fox-in-the-henhouse problem. To wit, if the CIO controls both a major project dedicated to the innovative 70% use of IT and the security of that project—which might slow down the project and add to its cost—he’s got a serious conflict of interest. 60% NNIT In the 2003 survey, one CISO said that conflict “is just too much to overcome. Having the CISO report to IT, it’s a death blow.” 50% And every year after that, the trend was for the security function to gain increasing autonomy. More security executive positions were created. More decision-making power was shifted to security 40% 30% NNFINANCE NNRISKNNMARKETING NNCOMPLIANCE/REG. NNLEGAL NNHR and away from IT. And more security groups reported to functions outside of IT, including the legal department, the risk department 20% and, most significantly, the CEO. The trend was even more pronounced at large companies. 10% 0 In 2007, this trend didn’t slow down; it flipped. What’s more, the reversal was most pronounced in the largest companies. For example, respondents chose from 12 possible functions to which their CISO 2005 2006 2007 could report. Those 12 functions were divided into three categories: 1. IT (CIO, CTO) 2. Neutral (board, CEO, CFO, COO, legal) Another hallmark of an evolved security function is its conver - gence with physical security, usually under a CSO. This makes sense both for operational efficiency and because threats are becom- 3. Security (CSO, risk, security committee, CPO, audit). Mid-Market Security ing more converged. Access control is a classic example of conver - gence paying dividends. By combining building access and network access in one system, you To allow respondents to select more than one of these answers, we created “shares”— the percentage of respondents with some The mid lengesandit’sincreasingly hasitsunique ­ market being chal targeted by ONLINECRIMINALS. Read save money, improve efficiency and create a single view into both physical threats (illegal entry) ­ all aboutitatwww.com/article/29098 and digital ones (illegal network access). And for four years, convergence of physical and . reporting relationship to one of these three categories. Here are the results.com IT security steadily increased. Until this year. Cover Story | Global Information Security And Furthermore Who Wants to Know? More data points to ponder from the “Global State of Information Security” survey n Privacy Best Practices arate P r Ivacy& Se P S arate P c L a SSI fy e m PL oy c Po S ecur data y r IS Ity B S ecur gov. & o Ity PS k . “Uh, Boss? Can We Talk?” Overall 22% 54% 66% 70% Are security and IT communicating enough with the CEO? By comparing their answers, we find some startling disconnects. >$1B revenue 30% 66% 58% 79% Financial services 33% 64% 60% 80% n What the Boss thinks; What you k now Consumer financial41% 69% 55% 90% Retail 14% 51% 66% 58% CEOs seem to think their enterprises are a lot more secure (and their employees more reliable) than CIOs and security Health insurance Healthcare provider 49% 53% 72% 73% 49% 65% 81% 64% leaders do. Conversely, CIOs and security leaders are a lot more optimistic about their budgets than are their CEOs. Technology 22% 49% 72% 77% ceo c I c ISo/cSo/ InfoS ec d More on Privacy Ir. We’ve had an unknown number of incidents We’ve had fewer than 10 security incidents 74% 18% 25% 65% 53% 28% While 60 percent of survey respondents posted privacy policies internally, only 24 percent posted policies on their external web - sites. Only 28 percent audited their privacy standards through An employee or former employee was the source of the incident 44% 71% 83% a third party. Sounds like a cover-your-butt ploy; after all, if you don’t have a policy posted, you can’t be sued for violating or not We do not conduct enterprise risk assessments 31% 21% 13% living up to it. And if you haven’t had your privacy audited, you don’t have to fix all the problems an audit would find. Security spending will increase in ’07 41% 53% 57% Spending will stay the same 41% 32% 28% n We n eed to Be Buta ren otinc ompliance With respondents who do not keep an accurate inventory of user data: 69% respondents who do not keep an Again, CEOs are far more confident than their CIOs and security execs that their enterprises are compliant. Either the CEOs are accurate inventory of where data is stored: 67% clueless, or the people who should know aren’t telling. Region of Risk ceo c I c ISo/cSo/ InfoS ec d I. HIPAA 9% 14% 27% One of the areas of the world where the focus on information security has intensified is Latin America, specifically Brazil and Sarbanes-Oxley 9% 20% 32% Mexico. Researchers and law enforcement believe that cultural differences in acceptance of less-secure online transaction meth- State privacy breach laws 10% 12% 21% ods and fewer controls and regulations on banking activity have made the region the banking center of choice for the Internet Privacy—Better, But... criminal underground. Here are some select findings. Perhaps because of the sheer number of incidents involving pri - vacy breaches, companies have improved their privacy prac- InfoS ec B udget do not conduct B udget r IS e more WILL aS % of I.t. B udget r IS k than 10% In ’07 >1 day doW ntIme tices. They are increasingly separating privacy from security and also separating security governance (which would take part aSS e SS ment Overall 15% 23% 20% 8% in setting privacy policy) from tactical security. That means, for example, the people deploying monitoring tools aren’t the ones 12% 16% 7% U.S. and Canada 19% setting the usage policy for those tools. But more work needs to be done. Some of the key steps to South America 19% 36% 30% 15% Brazil 16% 43% 29% 21% ensuring data privacy—encrypting databases, classifying data by risk level—haven’t become standard practice. The industry China Mexico 19% 21% 33% 32% 28% 26% 13% 13% least likely to have adopted privacy practices is technology. A privacy leader? Consumer banking. India 21% 17% 33% 9% Cover Story | Global Information Security n Physical and Information Security been partly because quality became ingrained, a corporate value, and it didn’t need a separate executive. But the evidence in the sur- c onverge,then d iverge Information and physical security are separate vey suggests that security is neither ingrained nor valued. It’s not even clear companies know where to put security, which would overa r evenue $1B or more LL 2003 71% NA explain the “gobs of dotted line” reporting structures. That brings us to another theory: organizational politics. What if 2004 50% NA separating security from IT were creating checks on software devel - opment (not a bad thing, from a security standpoint)? What if all 2005 47% NA 2006 25% 36% 2007 46% 55% this security awareness the survey has indicated actually exposed the typical IT department’s insecure practices? Information and physical security report to the same executive leader One way for IT to respond would be to attempt to defang security. Keep its enemy close. Pull the function back to where it can be better controlled. overa r evenue $1B or more LL 20032004 26% 11% NA 22% “What I hear from CIOs,” says Johnson, “is at the end of the day they’re responsible for failures anyway. They’re on the line whether security is separate or not.” Why wouldn’t the CIO want to control 2005 31% 24% 2006 40% 33% something he’s ultimately responsible for? On the other hand, maybe security was never as separate as it 2007 34% 27% seemed. Companies created CISO-type positions but never gave them authority. “I continually see security people put in the posi- respondents who do not integrate physical and information security personnel: 69% of those, percent with no tion of fall guy,” says Woerner of TD Ameritrade. “Maybe some of that separation was, subconsciously, creating a group to take the hit.” Woerner also believes that the trend of the security budget folding into the IT department could be a direct result of security plans to integrate personnel: 80% auditing that focuses primarily on infrastructure. That is, when auditors look at information security weaknesses, they recommend Who’s in Charge? technological fixes. And IT buys the technology. Why should IT be charged for another department’s expenses? Signs of IT’s control and influence are peppered throughout the survey results. For example, when asked what security guidelines their companies followed, respondents were far more likely—sometimes two or three times more likely—to cite more general IT guide- Whatever the reason, the trend is disturbing to some security professionals, especially at a time when they play an ever more central role in corporate crises, and in society in general. lines like ITIL than security-specific ones like SAS 70 and various ISO security standards. The state of Internet security is eroding quickly. Trust in online transactions is evaporating and it will require strong security leadership for that trust to be restored. For the Internet to remain What’s going on here? Johnson has one theory: “Security seems to be following a trajectory similar to the quality movement 20 or 30 years ago, only with security it’s happening much faster. During the juggernaut of commerce and productivity it has become will require more, not less, input from security. the quality movement, everyone created VPs of quality. They got CEO reporting status. But then in 10 years the position was gone But right when the best and brightest security minds are needed most, they’re being valued less. CIO or it was buried.” In the case of the quality movement, Johnson says, that may have isexecutive editor of CSO. METHODOLOGY the “Global State of Information Security 2007” survey, a worldwide study by CIO, CSO and , was conducted online from March 6, 2007, through May 4, 2007. readers of CIO and CSO and clients of Pricewaterhousecoopers from around the globe were invited via e-mail to take the survey. the results shown in this report are based on the responses of 7,200 ceOs, cFOs, cIOs, cSOs, VPs and directors of It and IS, and security and It professionals from more than 100 countries. thirty-six percent of the respondents were from North america, followed by europe (28%), asia (23%), South america (12%) and the Middle east and South africa (2%). the margin of error for this study is +/- 1%. Illu trat S G uy b ION O ut by Ill
In cities, towns and remote locations, mini satellite dishes point attentively to the Southern sky. Emblazoned with names like DirecTv, ExpressVu, DirecWay, Web Conferencing, iNetVu, Linkstar, XM Satellite Radio, Sirius Satellite Radio iDirect their numbers are growing at an amazing rate. Iridium Satellite Phone is the only provider of truly global satellite voice and data solutions with complete coverage of the earth (including oceans, airways and Polar Regions). Get the latest buzz on Free satellite tv systems - including the features and benefits that make them today's ultimate television viewing experience.(Get Dish) Ever wonder why these satellite dish systems are in such great demand? Does high speed internet service or digital television programming via satellite intrigue you?
If you've never heard of Cheap VoIP, get ready to change the way you think about long-distance phone calls. VoIP, or Voice over Internet Protocol, is a method for taking analog audio signals and turning them into digital data (IP packets) that can be transmitted over the Internet.