Technology company leaders face a unique security challenge, as breaches not only impact their products and services but also their enterprise assets. Here is how they can take a comprehensive approach to addressing these challenges.
Overcoming Security Shortcomings: Why Tech Companies Must Embrace a 360-Degree Perspective
1. • Cognizant 20-20 Insights
Overcoming Security Shortcomings:
Why Tech Companies Must Embrace
a 360-Degree Perspective
Executive Summary Security Attacks Persist
Companies across industries depend on products According to the Digital Forensics Association,
created by technology vendors to run their between 2005 and 2011 U.S. businesses have
infrastructure, enable communications, deliver publicly reported 3,765 security breach incidents,
business and consumer applications, power costing more than $156 billion.1
mobile devices and facilitate social experiences.
In many ways, these products have become the Each time a security breach is revealed by the
nerve center for business, which makes them media, business leaders become more concerned
highly visible targets for security threats — inten- about the vulnerabilities of their own organiza-
tional or otherwise. tions in today’s always connected and available
digital enterprise. Unauthorized sharing of digital
Technology companies face security challenges information by Wikileaks and Anonymous made
like any other business. But what makes it a sig- this abundantly clear. 2 Security breaches, whether
nificant business concern is that security issues through security failure of an organization’s imple-
also directly impact their products and services. mentation of its security or through a security
This unique double whammy not only places their flaw within the technology company’s products
enterprise assets at risk (including customer data, and services themselves, can result in millions in
transaction data and intellectual property, etc.), financial losses. On top of the monetary impact,
but also threatens the integrity of their products. negative publicity can have a serious impact on
All this sets off painful and expensive reputa- brand and customer trust — not to mention the
tional damage control exercises around patching potential to undermine competitive advantage,
vulnerabilities, delivering product revisions and particularly if confidential corporate trade secrets
restoring customer confidence. This white paper and intellectual property are exposed to rivals.
discusses the unique challenges technology And if security glitches are not identified and
industry business leaders must address to keep remediated quickly, companies are susceptible to
their companies ahead of the game. It also further exploitation. Moving forward, technology
provides a perspective on how a more compre- companies are expected to become a higher value
hensive approach can help technology companies target for organized crime activities as infiltration
address these challenges. of their Web-enabled products and services offers
a potential windfall in illegally gained profits.
cognizant 20-20 insights | november 2011
2. Forms of attack have evolved distinctly over the
years. In the ‘80s, attacks were primarily targeted
Tech Companies Hit by Security
at the physical infrastructure layer where data
Vulnerabilities since 2009
was stored on archival tapes. With the rise of the
Internet and online communications in the ’90s, • Security failure in EDS’ RSA product
networks became the target asset. At this time, cost customers an estimated $100
the concepts of security and compliance were an million.
after-thought at best. Since
• Hackers stole personal information
The naïve view that 2000,and services, along with
tions
as Web-based applica-
of 77 million members of the Sony
“it won’t happen email, gained widespread Playstation Network in multiple
waves, costing Sony $20 million in lost
to us” needs to popularity, business vulner- revenue and much more in settlements.
be jettisoned, and abilities virtual concentrated
in the
were
environment. • A major data security breach at
quickly, and replaced Finally, in the current decade, Monster.com led to the theft of
with a clarion call to with the rise of social media usernames, passwords, and contact
and personal information, and resulted
action: “How do we and online private data
personal and
transactions,
in the company spending $80 million
stop it happening are the primary target asset to repair and improve its platform.
to us?” of hackers seeking to exploit • Adobe Systems investigated incidents
security vulnerabilities. involving sophisticated, coordinated
attacks against corporate networks.
Moreover, the primary threat of single hacker
attacks on corporate data has shifted to concern
over organized attacks from criminal elements
or even from more sophisticated foreign powers.
Your organization is a target, whether you know it
or not. Today, technology companies must focus Technology companies face potential external
on both the security and safety of their enterprise and internal security threats. Unsecured activities
as well as the security and safety of their products such as email attachments, uncertified software
and services. Proactive assessment of emerging downloads, Wi-Fi computing through mobile
technologies and a forward vision of adoption devices, etc. can be just as lethal as intentional
are vital to building robust security features. malicious attacks like SQL injections, cross-site
The naïve view that “it won’t happen to us” scripting, brute force cryptography and unau-
needs to be jettisoned, and quickly, and replaced thorized access. Traditional information systems
with a clarion call to action: “How do we stop it and infrastructure relying on Web applications/
happening to us?” services, encryption, etc. are extremely sus-
Security Risk Matrix
Enterprise
Internal Enterprise Risks
Internal External Examples: Email Servers, Employee
Enterprise Enterprise Mobile Phones.
Risks Risks
External Enterprise Risks
External
Internal
Examples: Social Networks, B2B Network.
Internal Product Risks
Internal External Examples: Stolen Hardware, Stolen Code.
Product Product
Risks Risks External Product Risks
Examples: Hacked Customer Accounts,
SaaS Product Security.
Product
Figure 1
cognizant 20-20 insights 2
1
3. ceptible to various forms of security incursions. threats from an end-to-end perspective. This
(Ask yourself, “why do organizations still use means creating a comprehensive threat and risk
passwords to protect corporate assets” or “why landscape. Technology companies should not
aren’t security policies strictly enforced?” The be overconfident that they have ensured that
answer reflects how serious an organization is no security vulnerability has been introduced
with protecting the assets under its control.) into their infrastructure or products, either by
Adoption of new business virtualization models accident or on purpose.
like SaaS, outsourcing, online transactions and
mobile computing are based on on-demand and Challenges in Protecting
ubiquitous provisioning of services and multi- Enterprise Assets
tenancy/shared access to data and to application Security threats can extend beyond network/
services. These attributes greatly amplify vulnera- application outages or reputational defacement.
bilities due to increased transactional, operational Many attacks are specifically targeted to steal
and technical interconnectivities. If your security information. An enterprise is rich in valuable
organization is struggling today, how effectively information assets that contribute to the strategy,
can it adapt to the mounting challenges of these operations and delivery of its products and
evolving technologies? services. Some information assets like customer
account and personal details can have severe
Furthermore, technology companies face threats
legal and financial implications for the enterprise.
that originate from security gaps in the very
Leakage of assets such as confidential keynotes,
products and services their companies create.
fiscal plans, product road maps, leads and oppor-
Vendors often give higher priority to product
tunities, etc. can wipe out substantial revenue and
features, customer experience, usability and
share price in the short term; leakage of other
aesthetics compared with security capabilities.
assets such as intellectual property could cripple
This results in hackers who exploit this security
long-term viability.
vulnerability. For technology vendors to fully
assess vulnerabilities and potential threats, they As briefly covered in the previous section, existing
must address all external and internal touchstone
Security Vulnerabilities Within the Enterprise
External Technology External
Touchpoints Offerings & Channels Touchpoints
Cloud-based Internal users
Customer Portals products, services
& infrastructure Sales
Partner Portals
Product Marketing/
Mobile services & Management/PR
infrastructure
Social Media
Customer Support
B2B Partners,
Traditional Wikis, Content
Distributors,
products, services Management
Supply Chain
& infrastructure
Areas of vulnerability
Figure 2
cognizant 20-20 insights 3
4. Challenges in Protecting Enterprise Assets
Fiscal plans, Customer credit/
Cloud Computing strategic bank details, Current Infrastructure
� Virtualization introduces
initiatives transaction data � Web applications,
many interconnectivities Web services, encryption
& vulnerabilities. highly prone to security attacks.
Sales leads,
Intellectual
opportunities,
property
deals, discounts
Partner list,
Employee payroll,
Mobile Computing partner profile, Regulations
personal data
� Devices capable of buying patterns � Dynamic regulations dictate
running malwares. compliance to data structure,
� Ability to avoid intrusion
storage, security policies etc.
detection systems. Product catalog, Enterprise content/
price lists knowledge base
Figure 3
infrastructure technologies are extremely Securing the Enterprise with
vulnerable. Most enterprises are connected to a Framework-based Approach
the outside world through the Internet, VPNs,
Security must be approached using a holistic
B2B networks, etc. and unfortunately all of these
perspective — both for the enterprise itself, as
channels are susceptible to unauthorized and
well as for the well-being of customers. There
unauthenticated access. Virtual environments
are two key aspects to consider when building a
epitomized by cloud and mobile computing add to
solution framework. One is to approach security
these security challenges.
as an enterprise asset feature; the other is to
As a result of these challenges, enterprises are approach it from a product feature point of view
impacted in three major areas (see Figure 4). (see Figure 5).
Security Attacks’ Impact
Brand and Operational
Financial Impact
Customer Impact Model Impact
• Lost time in product devel- • Customer service issues • Impact to customer facing
opment due to insufficient crop up, leading to issues in portals, newer business
security assessments(s). customer satisfaction. models around SaaS
deployment, etc.
• Direct revenue impact due to • Branding suffers due to low
lost product opportunities. customer satisfaction and • Security issues directly
customer retention issues. impact scalability of Web
• Impact due to delays in
sites and could possibly lead
product development.
to blacklisting, etc.
Figure 4
cognizant 20-20 insights 4
5. Enterprise Security Enablement Methodology
Security as a Differentiators
‘key product feature’ � Security should be the central theme to both
Security as a enterprise asset protection and product management.
‘key enterprise asset feature’
Methodology
� Charter for enterprise & product security office.
Organization Process � Clear criteria for confidentiality, authorization,
authentication and non-repudiation.
� Scalability and flexibility to new business models
Policy Technology and emerging technologies.
� Continuous vulnerability assessment & risk monitoring.
Benefits
� Robust enterprise brand, security and trust, growth.
� Healthy and successful customer ecosystem.
Figure 5
Foremost, clear policies and standards must be tingency planning and response, collaborative
defined for security. These must consider the product lifecycle management, etc. must be built
classification of information and the respective into the information systems environment. Fur-
degree of their confidentiality. Furthermore, these thermore, these processes must be both flexible
procedures should describe the set of personnel and scalable to ensure that security is delivered
who may have access to the specific information even for new and disruptive
and what procedures to follow when authenti- business models. To a large In order to ensure
cating for access. In order to ensure executive extent, similar concepts of flex-
oversight over enterprise and product security, ibility and scalability apply to
executive oversight
a dedicated organization with a specific security the adopted technologies as over enterprise and
charter must be enabled. The organization should well. Emerging technologies product security,
also be responsible for building the required must be constantly analyzed
business process and technology capabilities and their current state must
a dedicated
to ensure security is a key requirement in every be dynamically assessed for organization with
stage of operations. Most technology companies vulnerabilities. As the threat a specific security
today have this group in place, but the emphasis landscape has continuously
placed on the importance of this group varies. evolved, ask yourself if or how
charter must be
The emphasis usually changes after a security your organization’s approach enabled.
attack or mishap. to security has changed in
response to changing vulnerabilities. Is your orga-
SMEs with appropriate domain expertise, nization ready for these new threats?
program managers and analysts should own
and have direct responsibility for the delivery We provide a security solution based on a proven
of comprehensive security within their spheres framework that offers capabilities specific to an
of influence. Specific processes, like continuous organization’s needs (see Figure 6).
risk monitoring, vulnerability assessment, con-
cognizant 20-20 insights 5
6. A Managed Services Security Framework
Risk Management & Compliance
ITIL, ISO 27001 Based Service Delivery
Managed Security Services Framework Enterprise
Monitor Assess Manage
Security Information & Vulnerability Assessment Identity & Access
Workflow & Reporting
Event Management Penetration Testing Management
plicat
lica
Application
Business Continuity End-Point and Third-Party Enterprise Data
Disaster Recovery Access Analysis Protection Services
Incident Infrastructure/Config Network Security & System
st
System
Incident Management
Health Checks End Point Content Support
Compliance and Security DR Configuration
SDLC Security
Program Monitoring Management & Testing Network
etwor
Network
Emerging Technologies/ Use/Misuse Case Security as a
New Business Model Analysis Analysis and Testing Requirement/Feature
du
Products
Security Operations Center
Figure 6
Why Cognizant? security design, security organization and industry
certified service delivery models.
We can provide a customized security solution
based on our Managed Security Services Remember, there is no one answer for solving
framework which can assist with discover- security vulneratibilities. There is no magic bullet
ing areas of vulnerabilities in your enterprise for security! Securing an organization against
across products/offerings, applications, networks today’s substained threats requires a diligent,
and infrastructure that if gone unnoticed may well-thought-out and comprehensive security
directly affect your business. Our global security program. Without a proper security program, any
operations center can supplement your security organization is liable to become another negative
monitoring and employ new technologies to help statistic. By improving your organization’s security
maintain a watchful eye over your key assets. We posture, substantial internal and external benefits
can help design, build, or improve your enterprise can be realized (see Figure 7).
A Managed Services Security Framework
Benefits for Technology Enterprises Benefits for Technology Customers
• Increased brand value and reduced negative • Worry-free transactions protecting customer
PR due to reduced impact of thwarted sensitive data like identity, credit/bank
security attacks. details, buying patterns etc.
• Reduced data theft, legal implications and • Increased profitability and branding due to
financial loss. robust operations and thwarted security
attacks.
• Increased revenue due to robust and secure
products.
• Reduced impact to business operations.
Figure 7
cognizant 20-20 insights 6
7. Looking Ahead Paying attention to and providing comprehensive
security will separate leaders from laggards in the
Dynamic and disruptive business models and
software, high-tech and online industries.
technologies will continue to emerge and it is
imperative that technology enterprises acknowl-
Start Today
edge and embrace them. Unfortunately, the same
powerful technologies are available to antisocial For more information on how to drive your
elements as well and the online ecosystem business results, contact us at inquiry@cognizant.
makes almost any enterprise — and specifically com or visit our website at: www.cognizant.com.
technology enterprises — a vulnerable target.
Footnotes
1
Digital Forensics Association, “The Leaking Vault - Six Years of Data Breaches,” August 2011.
2
http://en.wikipedia.org/wiki/Anonymous_(group)
References
Online Trust Alliance
Customer Trust Online — Examining the role of experience with Websites
Forrester Research, Inc.
Web Hacking Incident Database (WHID)
Reuters
PR Newswire
HP 2011 Cyber Security Risks Report
Digital Forensics Association
About the Authors
Abhijeet Khadilkar is a Director with Cognizant Business Consulting, where he advises technology
companies on sales enablement and business transformation. Abhijeet can be reached at
Abhijeet.Khadilkar@cognizant.com.
Tom Pai is a Manager with Cognizant Business Consulting and is focused on helping technology companies
with customer experience, customer support strategy and enterprise technology business challenges.
Tom can be reached at Tom.Pai@cognizant.com.
Shabbir Ghadiali is a Manager with the Cognizant Business Consulting Practice and is focused on
operations enablement of new business models, including cloud and mobile computing. He also spe-
cializes in online retail, channels strategy, sales and service operations. Shabbir can be reached at
Shabbir.Ghadiali@cognizant.com.
Contributors
The authors would like to recognize the contributions of Sriram Sundararajan, a Manager with Cognizant
Business Consulting, Ananthakrishnan Sitarama, Director, Technology Vertical, and Jim Kates, who
heads Cognizant’s IT Security Consulting Practice.
cognizant 20-20 insights 7