Transcript of a sponsored podcast panel discussion from The Open Group 2011 U.S. Conference on how enterprises need to change their thinking to face cyber threats.
Impact of Security Issues on Doing Business in 2011 And Beyond
1. Impact of Security Issues on Doing Business in 2011 And
Beyond
Transcript of a sponsored podcast panel discussion from The Open Group 2011 U.S. Conference
on how enterprises need to change their thinking to face cyber threats.
Listen to the podcast. Find it oniTunes/iPod and Podcast.com. Download the transcript. Sponsor:
The Open Group
Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're
listening to BriefingsDirect.
Today, we present a sponsored podcast discussion in conjunction with The
Open Group Conference, held in San Diego in the week of February 7, 2011.
We’ve assembled a panel to examine the business risk around cyber security
threats.
Looking back over the past few years, it seems like threats are only getting
worse. We've had the Stuxnet Worm, The WikiLeaks affair, China originating attacks against
Google and others, and the recent Egypt Internet blackout. [Disclosure: The Open Group is a
sponsor of BriefingsDirect podcasts.]
But, are cyber security dangers, in fact, getting much worse or rather perceptions that are at odds
with what is really important in terms of security? In any event, how can businesses best protect
themselves from the next round of risks, especially as cloud, mobile, and social media activities
increase? How can architecting for security become effective and pervasive? We'll pose these
and other serious questions to our panel to deeply examine the cyber business risks and ways to
head them off.
Please join me now in welcoming our panel, we're here with Jim Hietala, the Vice President of
Security at The Open Group. Welcome back, Jim.
Jim Hietala: Hi, Dana. Good to be with you.
Gardner: And, we're here with Mary Ann Mezzapelle, Chief Technologist in the CTO's Office at
HP. Welcome.
Mary Ann Mezzapelle: Thank you, Dana.
Gardner: We're also here with Jim Stikeleather, Chief Innovation Officer at Dell Services.
Welcome, Jim.
Jim Stikeleather: Thank you, Dana. Glad to be here.
2. Gardner: As I mentioned, there have been a lot of things in the news about security. I'm
wondering, what are the real risks that are worth being worried about? What should you be
staying up late at night thinking about, Jim?
Stikeleather: Pretty much everything, at this time. One of the things that you're seeing is a
combination of factors. When people are talking about the break-ins, you're
seeing more people actually having discussions of what's happened and what's
not happening. You're seeing a new variety of the types of break-ins, the type of
exposures that people are experiencing. You're also seeing more organization and
sophistication on the part of the people who are actually breaking in.
The other piece of the puzzle has been that legal and regulatory bodies step in
and say, "You are now responsible for it." Therefore, people are paying a lot more attention to it.
So, it's a combination of all these factors that are keeping people up right now.
Gardner: Is it correct, Mary Ann, to say that it's not just a risk for certain applications or certain
aspects of technology, but it's really a business-level risk?
Key component
Mezzapelle: That's one of the key components that we like to emphasize. It's about
empowering the business, and each business is going to be different.
If you're talking about a Department of Defense (DoD) military
implementation, that's going to be different than a manufacturing
concern. So it's important that you balance the risk, the cost, and the
usability to make sure it empowers the business.
Gardner: How about complexity, Jim Hietala? Is that sort of an underlying current here? We
now think about the myriad mobile devices, moving applications to a new tier, native apps for
different platforms, more social interactions that are encouraging collaboration. This is good, but
just creates more things for IT and security people to be aware of. So how about complexity? Is
that really part of our main issue?
Hietala: It's a big part of the challenge, with changes like you have mentioned on the client side,
with mobile devices gaining more power, more ability to access information and store
information, and cloud. On the other side, we’ve got a lot more complexity in the IT
environment, and much bigger challenges for the folks who are tasked for securing things.
Gardner: Just to get a sense of how bad things are, Jim Stikeleather, on a scale of 1 to 10 -- with
1 being you're safe and sound and you can sleep well, and 10 being all the walls of your business
are crumbling and you're losing everything -- where are we?
Stikeleather: Basically, it depends on who you are and where you are in the process. A major
issue in cyber security right now is that we've never been able to construct an intelligent return
on investment (ROI) for cyber security.
3. There are two parts to that. One, we've never been truly able to gauge how big the risk really is.
So, for one person it maybe a 2, and most people it's probably a 5 or a 6. Some people may be
sitting there at a 10. But, you need to be able to gauge the magnitude of the risk. And, we never
have done a good job of saying what exactly the exposure is or if the actual event took place. It's
the calculation of those two that tell you how much you should be able to invest in order to
protect yourself.
So, I'm not really sure it's a sense of exposure the people have, as people don't have a sense of
risk management -- where am I in this continuum and how much should I invest actually to
protect myself from that?
We're starting to see a little bit of a sea change, because starting with HIPAA-HITECH in 2009,
for the first time, regulatory bodies and legislatures have put criminal penalties on companies
who have exposures and break-ins associated with them.
So we're no longer talking about ROI. We're starting to talk about risk of incarceration , and that
changes the game a little bit. You're beginning to see more and more companies do more in the
security space -- for example, having a Sarbanes-Oxley event notification to take place.
The answer to the question is that it really depends, and you almost can't tell, as you look at each
individual situation.
Gardner: Mary Ann, it seems like assessment then becomes super-important. In order to assess
your situation, you can start to then plan for how to ameliorate it and/or create a strategy to
improve, and particularly be ready for the unknown unknowns that are perhaps coming down the
pike. When it comes to assessment, what would you recommend for your clients?
Comprehensive view
Mezzapelle: First of all we need to make sure that they have a comprehensive view. In some
cases, it might be a portfolio approach, which is unique to most people in a
security area. Some of my enterprise customers have more than a 150 different
security products that they're trying to integrate.
Their issue is around complexity, integration, and just knowing their
environment -- what levels they are at, what they are protecting and not, and
how does that tie to the business? Are you protecting the most important asset?
Is it your intellectual property (IP)? Is it your secret sauce recipe? Is it your
financial data? Is it your transactions being available 24/7?
And, to Jim's point, that makes a difference depending on what organization you're in. It takes
some discipline to go back to that InfoSec framework and make sure that you have that
foundation in place, to make sure you're putting your investments in the right way.
4. Stikeleather: One other piece of it is require an increased amount of business knowledge on the
part of the IT group and the security group to be able to make the assessment of where is my IP,
which is my most valuable data, and what do I put the emphasis on.
One of the things that people get confused about is, depending upon which analyst report you
read, most data is lost by insiders, most data is lost from external hacking, or most data is lost
through email. It really depends. Most IP is lost through email and social media activities. Most
data, based upon a recent Verizon study, is being lost by external break-ins.
We've kind of always have the one-size-fits-all mindset about security. When you move from just
"I'm doing security" to "I'm doing risk mitigation and risk management," then you have to start
doing portfolio and investment analysis in making those kinds of trade-offs.
That's one of the reasons we have so much complexity in the environment, because every time
something happens, we go out, we buy any tool to protect against that one thing, as opposed to
trying to say, "Here are my staggered differences and here's how I'm going to protect what is
important to me and accept the fact nothing is perfect and some things I'm going to lose."
Gardner: Perhaps a part of having an assessment of where you are is to look at how things have
changed, Jim Hietala, thinking about where we were three or four years ago, what is
fundamentally different about how people are approaching security and/or the threats that they
are facing from just a few years ago?
Hietala: One of the big things that's changed that I've observed is if you go back a number of
years, the sorts of cyber threats that were out there were curious teenagers and
things like that. Today, you've got profit-motivated individuals who have
perpetrated distributed denial of service attacks to extort money. Now, they’ve
gotten more sophisticated and are dropping Trojan horses on CFO's machines
and they can to try in exfiltrate passwords and log-ins to the bank accounts.
We had a case that popped up in our newspaper in Colorado, where a mortgage
company, a title company lost a million dollars worth of mortgage money that
was loans in the process of funding. All of a sudden, five homeowners are
faced with paying two mortgages, because there was no insurance against that.
When you read through the details of what happened it was, it was clearly a Trojan horse that
had been put on this company's system. Somebody was able to walk off with a million dollars
worth of these people's money.
State-sponsored acts
So you've got profit-motivated individuals on the one side, and you've also got some things
happening from another part of the world that look like they're state-sponsored, grabbing
corporate IP and defense industry and government sites. So, the motivation of the attackers has
fundamentally changed and the threat really seems pretty pervasive at this point.
5. Gardner: Pervasive threat. Is that how you see it, Jim Stikeleather?
Stikeleather: I agree. The threat is pervasive. The only secure computer in the world right now
is the one that's turned off in a closet, and that's the nature. You have to make decisions about
what you're putting on and where you're putting it on. I's a big concern that if we don't get better
with security, we run the risk of people losing trust in the Internet and trust in the web.
When that happens, we're going to see some really significant global economic concerns. If you
think about our economy, it's structured around the way the Internet operates today. If people
lose trust in the transactions that are flying across it, then we're all going to be in pretty bad
world of hurt.
Gardner: All right, well I am duly scared. Let's think about what we can start doing about this.
How should organizations rethink security? And is that perhaps the way to do this, Mary Ann? If
you say, "Things have changed. I have to change, not only in how we do things tactically, but
really at that high level strategic level," how do you rethink security properly now?
Mezzapelle: It comes back to one of the bottom lines about empowering the business. Jim talked
about having that balance. It means that not only do the IT people need to know more about the
business, but the business needs to start taking ownership for the security of their own assets,
because they are the ones that are going to have to belay the loss, whether it's data, financial, or
whatever.
They need to really understand what that means, but we as IT professionals need to be able to
explain what that means, because it's not common sense. We need to connect the dots and we
need to have metrics. We need to look at it from an overall threat point of view, and it will be
different based on what company you're about.
You need to have your own threat model, who you think the major actors would be and how you
prioritize your money, because it's an unending bucket that you can pour money into. You need
to prioritize.
Gardner: How would this align with your other technology and business innovation activities?
If you're perhaps transforming your business, if you're taking more of a focus at the process
level, if you're engaged with enterprise architecture and business architecture, is security a
sideline, is it central, does it come first? How do you organize what's already fairly complex in
security with these other larger initiatives?
Mezzapelle: The way that we've done that is this is we've had a multi-pronged approach. We
communicate and educate the software developers, so that they start taking ownership for
security in their software products, and that we make sure that that gets integrated into every part
of portfolio.
6. The other part is to have that reference architecture, so that there’s common services that are
available to the other services as they are being delivered and that we can not control it but at
least manage from a central place.
You were asking about how to pay for it. It's like Transformation 101. Most organizations spend
about 80 percent of their spend on operations. And so they really need to look at their operational
spend and reduce that cost to be able to fund the innovation part.
Getting benchmarks
It may not be in security. You may not be spending enough in security. There are several
organizations that will give you some kind of benchmark about what other organizations in your
particular industry are spending, whether it's 2 percent on the low end for manufacturing up to
10-12 percent for financial institutions.
That can give you a guideline as to where you should start trying to move to. Sometimes, if you
can use automation within your other IT service environment, for example, that might free up the
cost to fuel that innovation.
Stikeleather: Mary Ann makes a really good point. The starting point is really architecture.
We're actually at a tipping point in the security space, and it comes from what's taking place in
the legal and regulatory environments with more-and-more laws being applied to privacy, IP,
jurisdictional data location, and a whole series of things that the regulators and the lawyers are
putting on us.
One of the things I ask people, when we talk to them, is what is the one application everybody in
the world, every company in the world has outsourced. They think about it for a minute, and they
all go payroll. Nobody does their own payroll any more. Even the largest companies don't do
their own payroll. It's not because it's difficult to run payroll. It's because you can’t afford all of
the lawyers and accountants necessary to keep up with all of the jurisdictional rules and
regulations for every place that you operate in.
Data itself is beginning to fall under those types of constraints. In a lot of cases, it's medical data.
For example, Massachusetts just passed a major privacy law. PCI is being extended to anybody
who takes credit cards.
The security issue is now also a data governance and compliance issue as well. So, because all
these adjacencies are coming together, it's a good opportunity to sit down and architect with a
risk management framework. How am I going to deal with all of this information?
Plus you have additional funding capabilities now, because of compliance violations you can
actually identify what the ROI is for of avoiding that. The real key to me is people stepping back
and saying, "What is my business architecture? What is my risk profile associated with it? What's
the value associated with that information? Now, engineer my systems to follow that."
7. Mezzapelle: You need to be careful that you don't equate compliance with security? There are a
lot of organizations that are good at compliance checking, but that doesn't mean that they are
really protecting against their most vulnerable areas, or what might be the largest threat. That's
just a letter of caution -- you need to make sure that you are protecting the right assets.
Gardner: It's a cliché, but people, process, and technology are also very important here. It seems
to me that governance would be an overriding feature of bringing those into some alignment.
Jim Hietala, how should organizations approach these issues with a governance mindset? That is
to say, following procedures, forcing those procedures, looking and reviewing them, and then
putting into place the means by which security becomes in fact part-and-parcel with doing
business?
Risk management
Hietala: I guess I'd go back to the risk management issue. That's something that I think
organizations frequently miss. There tends to be a lot of tactical security spending based upon the
latest widget, the latest perceived threat -- buy something, implement it, and solve the problem.
Taking a step back from that and really understanding what the risks are to your business, what
the impacts of bad things happening are really, is doing a proper risk analysis. Risk assessment is
what ought to drive decision-making around security. That's a fundamental thing that gets lost a
lot in organizations that are trying to grapple the security problems.
Gardner: Jim Stikeleather, any thoughts about governance as an important aspect to this?
Stikeleather: Governance is a critical aspect. The other piece of it is education. There's an
interesting fiction in both law and finance. The fiction of the reasonable, rational, prudent man. If
you've done everything a reasonable, rational and prudent person has done, then you are not
culpable for whatever the event was.
I don't think we've done a good job of educating our users, the business, and even some of the
technologists on what the threats are, and what are reasonable, rational, and prudent things to do.
One of my favorite things are the companies that make you change your password every month
and you can't repeat a password for 16 or 24 times. The end result is that you get as this little
thing stuck on the notebook telling them exactly what the password is.
So, it's governance, but it's also education on top of governance. We teach our kids not to cross
the street in the middle of the road and don't talk to strangers. Well, we haven't quite created that
same thing for cyberspace. Governance plus education may even be more important than the
technological solutions.
Gardner: One sort of push-back on that is that the rate of change is so rapid and the nature of
the risks can be so dynamic, how does one educate? How you keep up with that?
8. Stikeleather: I don't think that it's necessary. The technical details of the risks are changing
rapidly, but the nature of the risk themselves, the higher level of the taxonomy, is not changing
all that much.
If you just introduce safe practices so to speak, then you're protected up until someone comes up
with a totally new way of doing things, and there really hasn't been a lot of that. Everything has
been about knowing that you don't put certain data on the system, or if you do, this data is always
encrypted. At the deep technical details, yes, things change rapidly. At the level with which a
person would exercise caution, I don't think any of that has changed in the last ten years.
Gardner: We've now entered into the realm of behaviors and it strikes me also that it's quite
important and across the board. There are behaviors at different levels of the organization. Some
of them can be good for ameliorating risk and others would be very bad and prolonged. How do
you incentivize people? How do you get them to change their behavior when it comes to
security, Mary Ann?
Mezzapelle: The key is to make it personalized to them or their job, and part of that is the
education as Jim talked about. You also show them how it becomes a part of their job.
Experts don't know
I have a little bit different view that it is so complex that even security professionals don’t
always know what the reasonable right thing to do it. So, I think it's very unreasonable for us to
expect that of our business users, or consumers, or as I like to say, my mom. I use her as a use
case quite a lot of times about what would she do, how would she react and would she recognize
when she clicked on, "Yes, I want to download that antivirus program," which just happened to
be a virus program.
Part of it is the awareness so that you keep it in front of them, but you also have to make it a part
of their job, so they can see that it's a part of the culture. I also think it's a responsibility of the
leadership to not just talk about security, but make it evident in their planning, in their
discussions, and in their viewpoints, so that it's not just something that they talk about but ignore
operationally.
Gardner: One other area I want to touch on is the notion of cloud computing, doing more
outsourced services, finding a variety of different models that extend beyond your enterprise
facilities and resources.
There's quite a bit of back and forth about, is cloud better for security or worse for security? Can
I impose more of these automation and behavioral benefits if I have a cloud provider or a single
throat to choke, or is this something that opens up? I've got a sneaking suspicion I am going to
hear "It depends" here, Jim Stikeleather, but I am going to go with you anyway. Cloud: I can't
live with it, can't live without it. How does it work?
9. Stikeleather: You're right, it depends. I can argue both sides of the equation. On one side, I've
argued that cloud can be much more secure. If you think about it, and I will pick on Google,
Google can expend a lot more on security than any other company in the world, probably more
than the federal government will spend on security. The amount of investment does not
necessarily tie to a quality of investment, but one would hope that they will have a more secure
environment than a regular company will have.
On the flip side, there are more tantalizing targets. Therefore they're going to draw more
sophisticated attacks. I've also argued that you have statistical probability of break-in. If
somebody is trying to break into Google, and you're own Google running Google Apps or
something like that, the probability of them getting your specific information is much less than if
they attack XYZ enterprise. If they break in there, they are going to get your stuff.
Recently I was meeting with a lot of NASA CIOs and they think that the cloud is actually
probably a little bit more secure than what they can do individually. On the other side of the coin
it depends on the vendor. I've always admired astronauts, because they're sitting on top of this
explosive device built by the lowest-cost provider. I've always thought that took more bravery
than anybody could think of. So the other piece of that puzzle is how much is the cloud provider
actually providing in terms of security.
You have to do your due diligence, like with everything else in the world. I believe, as we move
forward, cloud is going to give us an opportunity to reinvent how we do security.
I've often argued that a lot of what we are doing in security today is fighting the last war, as
opposed to fighting the current war. Cloud is going to introduce some new techniques and new
capabilities. You'll see more systemic approaches, because somebody like Google can't afford to
put in 150 different types of security. They will put one more integrated. They will put in, to
Mary Ann’s point, the control panels and everything that we haven't seen before.
So, you'll see better security there. However, in the interim, a lot of the software-as-a-service
(SaaS) providers, some of the simpler platform-as-a-service (PaaS) providers haven’t made that
kind of investment. You're probably not as secured in those environments.
Gardner: Mary Ann, do you also see cloud as a catalyst to a better security either from
technology process or implementation?
Lowers the barrier
Mezzapelle: For the small and medium size business it offers the opportunity to be more
secure, because they don't necessarily have the maturity of processes and tools to be able to
address those kinds of things. So, it lowers that barrier to entry for being secure.
For enterprise customers, cloud solutions need to develop and mature more. They may want to
do with hybrid solution right now, where they have more control and the ability to audit and to
10. have more influence over things in specialized contracts, which are not usually the business
model for cloud providers.
I would disagree with Jim in some aspects. Just because there is a large provider on the Internet
that’s creating a cloud service, security may not have been the key guiding principle in
developing a low-cost or free product. So, size doesn't always mean secure.
You have to know about it, and that's where the sophistication of the business user comes in,
because cloud is being bought by the business user, not by the IT people. That's another
component that we need to make sure gets incorporated into the thinking.
Stikeleather: I am going to reinforce what Mary Ann said. What's going on in cloud space is
almost a recreation of the late '70s and early '80s when PCs came into organizations. It's the
businesspeople that are acquiring the cloud services and again reinforces the concept of
governance and education. They need to know what is it that they're buying.
I absolutely agree with Mary. I didn't mean to imply size means more security, but I do think that
the expectation, especially for small and medium size businesses, is they will get a more secure
environment than they can produce for themselves.
Gardner: Jim Hietala, we're hearing a lot about frameworks, and governance, and automation.
Perhaps even labeling individuals with responsibility for security and we are dealing with some
changeable dynamics that move to cloud and issues around cyber security in general, threats
from all over. What is The Open Group doing? It sounds like a huge opportunity for you to bring
some clarity and structure to how this is approached from a professional perspective, as well as a
process and framework perspective?
Hietala: It is a big opportunity. There are a number of different groups within The Open Group
doing work in various areas. The Jericho Forum is tackling identity issues as it relates to cloud
computing. There will be some new work coming out of them over the next few months that lay
out some of the tough issues there and present some approaches to those problems.
We also have the Trusted Technology Forum (TTF) and the Trusted Technology Provider
Framework (TTPF) that are being announced here at this conference. They're looking at supply
chain issues related to IT hardware and software products at the vendor level. It's very much an
industry-driven initiative and will benefit government buyers, as well as large enterprises, in
terms of providing some assurance of products they're procuring are secure and good commercial
products.
Also in the Security Forum, we have a lot of work going on in security architecture and
information security management. There are a number projects that are aimed at practitioners,
providing them the guidance they need to do a better job of securing, whether it's a traditional
enterprise, IT environment, cloud and so forth. Our Cloud Computing Work Group is doing work
on a cloud security reference architecture. So, there are number of different security activities
going on in The Open Group related to all this.
11. Gardner: What have you seen in a field in terms of a development of what we could call a
security professional? We've seen Chief Security Officer, but is there a certification aspect to
identifying people as being qualified to step in and take on some of these issues?
Certification programs
Hietala: There are a number of certification programs for security professionals that exist out
there. There was legislation, I think last year, that was proposed that was going to put some
requirements at the federal level around certification of individuals. But, the industry is fairly
well-served by the existing certifications that are out there. You've got CISSP, you've got a
number of certification from SANS and GIAC that get fairly specialized, and there are lots of
opportunities today for people to go out and get certifications in improving their expertise in a
given topic.
Gardner: My last question will go to you on this same issue of certification. If you're on the
business side and you recognize these risks and you want to bring in the right personnel, what
would you look for? Is there a higher level of certification or experience? How do you know
when you've got a strategic thinker on security, Mary Ann?
Mezzapelle: The background that Jim talked about CISSP, CSSLP from (ISC)2, there is also the
CISM or Certified Information Security Manager that’s from an audit point of view, but I don't
think there's a certification that’s going to tell you that they're a strategic thinker. I started out as a
technologist, but it's that translation to the business and it's that strategic planning, but applying it
to a particular area and really bringing it back to the fundamentals.
Gardner: Does this become then part of enterprise architecture (EA)?
Mezzapelle: It is a part of EA, and, as Jim talked, about we've done some work on The Open
Group with Information Security Management model that extend some of other business
frameworks like ITIL into the security space to have a little more specificity there.
Gardner: Last word to you, Jim Stikeleather, on this issue of how do you get the right people in
the job and is this something that should be part and parcel with the enterprise or business
architect?
Stikeleather: I absolutely agree with what Mary Ann said. It's like a CPA. You can get a CPA
and they know certain things, but that doesn't guarantee that you’ve got a businessperson. That’s
where we are with security certifications as well. They give you a comfort level that the
fundamental knowledge of the issues and the techniques and stuff are there, but you still need
someone who has experience.
At the end of the day it's the incorporation of everything into EA, because you can't bolt on
security. It just doesn't work. That’s the situation we're in now. You have to think in terms of the
framework of the information that the company is going to use, how it's going to use it, the value
that’s associated with it, and that's the definition of EA.
12. Gardner: Well, great. We have been discussing the business risk around cyber security threats
and how to perhaps position yourself to do a better job and anticipate some of the changes in the
field. I’d like to thank our panelists. We have been joined by Jim Hietala, Vice President of
Security for The Open Group. Thank you, Jim.
Hietala: Thank you, Dana.
Gardner: Mary Ann Mezzapelle, Chief Technologist in the Office of the CTO for HP. Thank
you.
Mezzapelle: Thanks, Dana.
Gardner: And lastly, Jim Stikeleather,Chief Innovation Officer at Dell Services. Thank you.
Stikeleather: Thank you, Dana.
Gardner: This is Dana Gardner. You’ve been listening to a sponsored BriefingsDirect podcast in
conjunction with The Open Group Conference here in San Diego, the week of February 7th,
2011. I want to thank all for joining and come back next time.
Listen to the podcast. Find it oniTunes/iPod and Podcast.com. Download the transcript. Sponsor:
The Open Group
Transcript of a sponsored podcast panel discussion from The Open Group 2011 U.S. Conference
on how enterprises need to change their thinking to face cyber threats.
You may also be interested in:
• Examining the Current State of the Enterprise Architecture Profession with the Open
Group's Steve Nunn
• Infosys Survey Shows Enterprise Architecture and Business Architecture on Common
Ascent to Strategy Enablers
• The Open Group's Cloud Work Group Advances Understanding of Cloud-Use Benefits
for Enterprises