ISE Central executive forum 2011

Friending Social Media in the Workplace: Laissez Faire or Lockdown?

Moderator Gene Scriven Chief Information Security Officer and Vice President Sabre-Holdings Inc. ISE® Southeast People’s Choice Award Winner 2008 Biography >

Facebook, Twitter, LinkedIn, YouTube, MySpace. Love it or hate it, Web 2.0 and social networking is now an important part of the business scene and companies that fail to engage run the risk of being left behind. Social media empowers businesses to build a brand, expand their reach, connect with customers and partners and facilitate the “flow of business.”

Chances are several of your employees are among the 500 million active Facebook members using any number of the 550,000 applications and tweeting to any number of the 160 million members on Twitter. Employees toggling between “friending” on Facebook and “businessing” on corporate systems leave a company open to the exposure of personal data in the workplace; the release of corporate data to the public; the risk of identity fraud; and a host of security, governance and compliance challenges. Further, a perfect storm is brewing between the number of people using social media and the increasingly sophisticated malware attacks being launched to prey on the data. Now, with the proliferation of third-party applications for mobile devices, the complexity and diversity of security issues becomes even greater as users download unsecured applications and use mobile devices for personal reasons.

Many security executives express frustration over the dilemma of how to make social media available for business reasons without exposing themselves to unnecessary security risks. In a 2010 survey conducted by Symantec, 50% of respondents said their company had a social media policy, while a study by Robert Half indicated that 54% of US companies block access to social media sites.

Discuss how executives, security teams and vendors are developing technologies and best practices to prevent the inappropriate exposure and exploitation of personal and corporate data through social computing.

• What are the key drivers for developing a strategy around social networking in today’s blended environment?
• What real-world examples are you seeing that demonstrate how social media can be used appropriately with security in mind?
• Compliance as an inhibiter: discuss legal and compliance factors that can prevent a company from embracing the use of social media.
• From a lost phone to an insecure app, what special considerations and precautions should be given to mobile devices and cell phone security?
• Inappropriate dialogue, illegal recruitment practices, impersonation: staff behavior can lead to any number of legal ramifications. What needs to be in an Acceptable Use Policy, and how can it be enforced? Who is responsible party: IT, Security, Legal, HR?
• What are the best ways to optimize employee productivity with web application and filtering controls?
• Keeping track of time – discuss ways to monitor and manage.
• Discuss best practices for methods to prevent information leaks and data loss.

Not Your Father’s Identity and Access Management: Moving from IAM to IAI

Moderator Mark Chamberlain Executive Director of Information Security Operations USAA Biography >

The internal corporate network is now a connected web of people and devices as more employees work remotely; and partners, customers and vendors are given access to corporate systems and sensitive data. This connected business model many times means managing access for users the company knows little about, and accommodating SSO and less intrusive authentication. To complicate matters, cloud-based applications are on the rise, bringing more challenges to managing user security. Layered on top of these business considerations is the requirement to meet industry-specific standards and comply with regulations such as HIPAA, SOX and PCI. Businesses must prove accountability around data access and management.

Intelligence, as one of the pillars of IAM, is receiving increasing attention. Focused on auditing, monitoring and analytics, Identity Access Intelligence (IAI) improves the performance of IAM activities, offers controls for activities beyond an organization’s direct control and can satisfy growing compliance, privacy, eDiscovery and regulatory requirements. IAM and compliance solutions form the cornerstone of an organization's governance, risk and compliance strategy and serve as a basis for transforming security into an enabling function. Implementing these programs can be complicated and time-consuming, but enterprises may be able to simplify the process and make tangible contributions to enterprise business goals if they consider vendors that are developing ways to integrate IAM offerings with other compliance solutions.

Dive deeper into the discussions and share your ideas with your executive peers:

• What are the characteristics of a world-class IAM program. Can IAM, IT and the enterprise peacefully co-exist.  What does the future hold for IAM as it evolves. What role does content-aware IAM play?
• What role does identity management play in the cloud. What are the differences between traditional IAM and cloud IAM in terms of drivers and requirements. How are solution providers addressing cloud IAM needs.
• Getting Strategic: Discuss how the intelligence delivered through IAI can be leveraged as essential business intelligence and drive business process and performance improvements.
• Discuss the integration of IAM and DLP. What are the ways that IAM enables DLP, and vice versa. How does the integration make both systems more valuable.
• What are the capabilities and limitations of IAM audit functions. Is security information and event management technology an answer. If so, how can SIEM technology be used to fill IAM audit gaps.
• The value of service-oriented architectures is business agility. How might integrating IAM into SOA ease IAM deployments.

Advanced Persistent Threat: It Pays to be Paranoid

Moderator Julie Talbot-Hubbard Director of IT Risk and Security Management Cardinal Health ISE® Central Executive Award Winner 2010 Biography >

Insider threat. Social engineering. Spear phishing. Pervasive botnet infections. Legitimate websites hosting malware. Polymorphic malware.  Blended threats. Multiple infection vectors. Command & control servers. Some of the biggest and best companies in the world are being targeted by criminal and nation-sponsored groups seeking to obtain information on intellectual property, legal activities, trade negotiations, customers, employees, credit card numbers and other financials, production information and schematics – and more.

Theft of information and electronic data at global companies has overtaken physical theft for the first time, with losses rising from $1.4m to $1.7m per billion dollars of sales, according to the 2010/2011 Kroll Annual Global Fraud Report. A study conducted by the Ponemon Institute reveals that 83% of respondents believe their organization was the target of advanced attacks, with 44% believing they were victims of frequent targets.

Many organizations unwittingly help the attackers by failing to: train security staff, conduct security awareness training, implement layered defenses, completely enable security technologies, perform adequate security monitoring and retain and analyze security logs. Adherence to regulatory compliance also comes into play, as organizations often fall into the trap of thinking that if they’re compliant, they’re also secure.

Advanced persistent threat is a not a single battle, it’s a protracted war waged for political, military or economic reasons by attackers who have the resources and talent necessary to repeatedly circumvent most common safeguards. Most organizations aren’t even aware of the extent to which their machines are infected. If an attacker wants your information, they will stop at nothing to get it.
Dive deeper into the discussions and share your ideas with your executive peers:

• Discuss best practices in implementing a structured approach to detection and protection. What enterprise environments, both in and out of the perimeter, need to be protected? How and with what? What role does log management play?
• How can the use of cloud-based behavioral analysis technology help in detecting emerging threats? Discuss the benefits of correlating threat information across email and the Web to maximize detection.
• “Wait and watch” or “Find and Stop.” Law enforcement personnel focused on prosecution often advocate evidence collection over threat removal. What are the pros and cons of each course of action?
• Remediating too early doesn’t help your organization defend your networks, and remediating too late ensures you have lost all of your trade secrets. How do you know when you are in the strike zone for remediating an attack? What are the best practices for remediation? What can cause a remediation effort to fail?
• It’s said that the three common mistakes in remediation are beginning remediation immediately, submitting malware to anti-virus providers as it is found and preparing for a single battle. Do you agree? Discuss.
• Compliant does not equal secure. Discuss methods for balancing security and compliance while avoiding the false sense of security that the “checked box” gives organizations.
• What role do policies, process and procedures play in protecting against advanced persistent threats?
• You have an incident – now what? Discuss best practices in terms of internal/external notification, evidence collection, incident response, remediation and future prevention.

Data Like Digital Water: Plugging the Leaks

Moderator Brian Wrozek IT Security Director Texas Instruments Incorporated ISE® Central Executive of the Year Award 2008 Winner Biography >

It seems that everywhere we turn, organizations are leaking data. Headlines expose losses of data in industries across the board and now WikiLeaks, with its publication of leaked cables, has organizations wondering if such an event could happen to them.

Data leakage is virtually impossible to stop, but the problem often isn't technology. It's people. The WikiLeaks incident underscores the risks inherent in failing to compartmentalize and in granting employees inappropriate levels of access to data and IT resources. Disgruntled staff, tech-savvy contractors and dismissed employees may misuse privileged access, or gain unauthorized access, and exploit the data. On the other end of the spectrum, naïve employees and well-intentioned users inadvertently leak data through improper and insecure handling of sensitive data.

WikiLeaks shines a spotlight on the policy, education, technology and enforcement issues that must be addressed if a company is to protect its information. Haphazard privileged password management combined with a lack of internal controls, access restrictions, centralized management, accountability and strong policies all contribute to placing an organization at risk for data loss.

The consequences of deliberate and accidental data leaks can be severe, often creating political, financial and public relations problems for the custodian organization. Stopping data leakage requires behavior changes and often results in redesigning business processes. Without a comprehensive data leakage policy, however, preventing data theft is as easy as catching water in a sieve.

Dive deeper into the discussions and share your ideas with your executive peers:

• What role does data governance play in preventing data leakage? Discuss what needs to happen in terms of data classification, policy and process definition, audits for data access and inventories of system access and credentials.
• The most vulnerable element in any organization is its people. What are the best practices in educating the workforce? What components comprise a best-in-class training program? How can an organization ensure compliance?
• Is the best practice to always compartmentalize? Discuss the pros and cons in terms of business agility, employee productivity and enterprise security.
• Data Loss Prevention (DLP) technology is promoted as a way to protect against data leaks and detect unauthorized access to sensitive information. What can reasonably be expected from a DLP solution? What features and functions should a company look for in a DLP solution? Is DLP the silver bullet? Why or why not.
• When data moves beyond the perimeter, DLP tools no longer have effect. How can organizations leverage administrative controls or alternative technologies to achieve airtight cloud computing? What is the role of SharePoint in information protection? Beyond securing SharePoint, how might organizations best use SharePoint to enhance information protection?
• What are the characteristics of an effective privacy program? Should a privacy officer be appointed to help drive the initiatives?
• Privileged passwords and privileged accounts are the keys to the kingdom, yet often remain in disorder. Discuss best practices for password and account management.

Cloud Computing: Security and Privacy and Contracts, Oh My!

Moderator Vickie Miller Director of Information Security FICO ISE® Central Peoples' Choice Award Winner 2010 Biography >

Platform-as-a-Service. Infrastructure-as-a-Service. Software-as-a-Service. Dedicated private. Open public. Hybrid. While there is no single term that describes a cloud environment, the fact remains that more and more data is moving to the cloud. Forrester predicts that cloud computing PaaS will be $15.2B by 2016 and Gartner claims the cloud computing IaaS market will reach $23.5B by 2013.

Benefits of cloud computing include reduced operating costs, savings on hardware, simplified licensing arrangements, streamlined infrastructure environments, consolidated facilities, increased functionality and flexibility, ability to scale and speed of access.  But is it secure? As more information on individuals and companies is placed in the cloud, attention must be turned to how safe an environment it is and how we assess security and perceive risk.

In the cloud, it’s difficult to physically locate where data is stored. While the cloud provider is the custodian, the data owner is still legally responsible for protecting the privacy and integrity of that data. Security processes, once visible, are now hidden behind layers of abstraction. Even the most basic tasks, such as applying patches and configuring firewalls, may become the responsibility of the cloud operator, not the end user. The challenge for security executives is to help their organizations leverage the benefits that the cloud may provide while having the trust and confidence that the cloud provider is an able partner in ensuring  the confidentiality, integrity and availability of information. Questions and concerns about transparency, acceptable risk, disaster recovery and actual costs savings abound.

Dive deeper into the discussions and share your ideas with your executive peers:

• Contracting for cloud computing: discuss the practices of cloud providers in terms of contract terms, charges for add-on services, service levels, warranties, data protection, security, liability, service suspension and termination.
• For some, negative feelings come into play regarding cloud services — what is your opinion? Why? 
• What steps can security executives take to ensure that service providers implement, deploy and manage security at an appropriate level.
• As organizations increase the number of cloud applications, the risk of undetected zombie accounts and over-privileged users increases dramatically. How can security executives take the pain and complexity out of user provisioning and management for cloud applications and keep control “inside the firewall.”
• As sensitive data gets moves to the cloud, what is the expectation of privacy issues and the impact of jurisdiction. What should never move to the cloud?
• What tough questions are you asking about data integrity and recovery; do you like the answers?
• What is the impact of eDiscovery, regulatory compliance and auditing on the capability to move your organization to this environment?
• Not often in contracts or due diligence, but should be –  planning “divorce” should the “marriage fail.” Discuss exit strategies/off boarding from cloud providers.
• Are there advantages to going to the cloud if you are looking to expand internationally?
• SAS 70 is not seen as a standard for evaluating cloud computing providers, yet it is provided as information in lieu of an audit or site visit. Discuss best practices in achieving transparency.
• Is cloud just a marketing spin?

The Consumerization of IT: Plague or Progress?

Moderator Chris Leach SVP and Chief Information Security Officer ACS, a Xerox Company ISE® North America Executive Commercial Category Winner 2008 Biography >

Smartphones and tablets are washing across the enterprise like a tsunami. Whether driven by an executive push or because employees are simply just using them, consumer technology's momentum has reached a dizzying pace and keeping them off the network can be akin to whack-a-mole.

Boundaries between work and personal technologies are diminishing. Boomers and Gen-Xers are bringing personal devices to work. Millennials and the Gen-Zs grew up using PCs, laptops, mobile phones, iPhones, iPods – and now iPads; and are making the provision of mobile tools a condition of employment. Technologies originally aimed at consumers, such as thumb drives, instant messaging and handheld audio and video players, are now ubiquitous in the business world.

The use of consumer technology can spark innovation and enable business on many levels. The Financial Times, Oprah Winfrey and University of Chicago Medical Center are among those organizations that have already launched initiatives to purchase these devices and make them available to employees. The unsanctioned and unmanaged use of consumer technologies, however, can present serious risk and raise numerous security concerns. As if the security issues weren’t enough, the legal ramifications of intermingled business and personal use can be even more troubling. What happens when employee blogging gets out of control? Who owns the device? Who owns the data? A power shift is underway. Rein in the chaos, or let chaos reign?

Dive deeper into the discussions and share your ideas with your executive peers:

• How can a company assess the risk and govern its use without stifling innovation?  What policies -- particularly security policies – should be implemented to govern the use of consumer technologies in a business setting?
• What technologies should a company “green-light”? What technologies, if any, should be blocked altogether? Is there a middle ground?
• Discuss IT and security best practices for onboarding and supporting the use of consumer technology and personal devices.
• Healthcare is one industry where the use of consumer technology is achieving tremendous success, but will this be the case for all industries across the board? What industries are – and are not – appropriate for making use of this type of technology?
• What are the legal ramifications of mixing business with personal. Who owns the device? Who owns the data? What happens when an employee leaves?
• The use of personal technology instead of company-supplied technology can present a cost saving to the business. Is it worth the trade-off in security? Should an employee be compensated for using personal technology to enable business?
• Employees have different views about sensitive information. How do you ensure employee engagement before giving them the keys to corporate data?
• It’s said the discussion about consumer tech is a microcosm of a much larger one: whether IT is going to have to relinquish control almost entirely to users. Yes? No? Maybe?

Vendor Consolidation: A Tale of Two Meanings

Moderator Cynthia Whitley Chief Information Security Officer Allstate ISE® Central Finalist 2008 Biography >

Within the industry, best of breed products offered by niche players and small vendors often fulfill our technology needs perfectly, whereas a larger vendor may not measure up. Smaller companies, whose success depends on your success, typically provide better customer service and are strongly motivated to help you succeed. To many a user’s chagrin, the security technology industry is consolidating due to mergers and acquisitions, resulting in fewer, larger players. What may happen to the acquired vendor and its technology is often an open question. Vendor consolidation impacts vendor relationships, technology direction and customer support; elevates concerns about the safety of existing and new investments; and adds uncertainty and risk that is best to be avoided.

On the flip side, vendor consolidation within an organization can result in measurable improvements in IT/security operations and performance while reducing costs. CISOs and CIOs are expected to understand the business impact and financial implications of their IT decisions and provide sound value propositions. A few well-chosen vendors who recognize their expanded roles and the rewards to be gained from their participation in an vendor consolidation effort can be the CISO’s greatest allies.

Dive deeper into the discussions and share your ideas with your executive peers:

• What are the best practices for protecting your company before bringing a best-of-breed technology in-house. What due diligence should be performed, what hard questions should be asked?
• Legal can be your best friend. How can contracts be leveraged to ensure optimum protection of technology, security, services and support?
• How can organizations map a safe path though vendor consolidation? What are strategies for handling vendor relationships going forward?
• What are the potential benefits to be gained as a result of a technology acquisition and becoming a customer of the acquiring vendor?
• Do you stay or do you go? At what point do you create an exit strategy and make the call to depart ways.
• Open source and outsourced: Is it the ultimate solution? Discuss.
• Everybody play nice: Discuss the best practices for gaining ongoing cooperation and interaction between vendors remaining in a vendor consolidation effort.
• Vendor-partner: How can one gain proactive participation by a vendor in planning, negotiations and proposals?