ISE® north america executive forum 2011

Day 1 - Wed. November 16, 2011

The Consumerization of IT: Is Resistance Futile?

Read Moderator's Summary

Moderator Julie Talbot-Hubbard Chief Information Security Officer Ohio State University ISE Central Executive Award Winner 2010 Biography >

The Consumerization of IT is no longer a matter of employees bringing smart phones and iPads to work. It’s also about services. Instant messaging, blogs and social networks all began as consumer applications and are now entrenched in the enterprise. Driven largely by “digital natives,” the business use of consumer devices and applications such as Google Docs, Facebook and other social media is fundamentally changing the way IT – and business in general – operates.

Today’s digital natives bring a new style of rapid, digital communication, collaborate across multiple platforms, use multiple devices and expect this to be carried over into the workplace. The growing number of devices, need for mobility and network traffic is throwing multiple challenges at IT and Information Security departments, creating a gap that both impacts employee productivity and morale and threatens an enterprises’ ability to compete, as these technologies are becoming important tools for reaching customers, prospects and partners. The use of consumer technology can spark innovation and enable business on many levels. The unsanctioned and unmanaged use of consumer technologies and services, however, can present serious risk and raise numerous security and legal concerns, such as viruses from social networks, challenges in developing corporate policies for support and lifecycle management and the blending of personal and corporate data.

Dive deeper into the discussions and share your ideas with your executive peers:

• How can a company assess the risk and govern use without stifling innovation?  What policies -- particularly security policies – should be implemented to govern the use of consumer technologies in a business setting?
• Are the cost savings of using personal devices worth the trade-off in security? Should an employee be compensated for using personal technology? Are we heading to a point where employees will be expected to bring their device to work, and that the organization will simply provide access to the appropriate information and applications?
• What devices and services should a company “green-light”? What, if any, should be blocked? Is there a middle ground?
• It is estimated that IT underestimates of the number of employees using consumer devices for work and social media for customer communication by as much as 50%. Why would this be so? Discuss IT and security best practices for onboarding and supporting the use of consumer technology.
• What are the legal ramifications of mixing business with personal data. Who owns the device? Who owns the data? What happens when an employee leaves?
• Cloud and managed service providers offer a built-in way to support multiple mobile devices. Is client virtualization and moving to the cloud for device management the answer? Why or why not.
• Employees turn to consumer devices partly because enterprise applications are inadequate or cumbersome to use. Discuss the strategies of organizations:  1) Deploying their own “Enterprise App Store” and developing enterprise applications that look and feel like smart device apps, but have enterprise-level functionality. 2) Working with solution providers to communicate security and manageability requirements needed to add enterprise capabilities to consumer products and services.
• It’s said the discussion about consumer tech is a microcosm of a much larger one: whether IT is going to have to relinquish control almost entirely to users. Yes? No? Maybe?

Identity and Access Management: Light at the End of the Tunnel

Read Moderator's Summary

Moderator Chris Tignor Vice President and Chief Information Security Officer Capital One Biography >

Identity and Access Management, as the foundation for access controls, is a mission-critical function that serves as the first line of defense in protecting confidentiality, integrity and availability of data. It is also a frustrating and difficult beast to tame. Today’s infrastructure is more complex, with more moving parts across the enterprise, than any other security-related service. The typical enterprise has numerous applications to which it needs to manage access. And there seems to be a different tool for each task – directories, virtual directories, provisioning tools, web access managers, federated identity management tools and more.

To complicate matters, cloud-based applications are on the rise, bringing more challenges to managing user security. Layered on top of these business considerations is the requirement to meet industry-specific standards and comply with regulations such as HIPAA, SOX and PCI. But compliance is only part of the story. An un-tethered workforce, less office bound than ever, is demanding remote access from a host of devices. Implementing an IAM program can be complicated, expensive and time-consuming, leaving security practitioners grappling with challenges and looking for solutions to get ahead of the curve.

Dive deeper into the discussions and share your ideas with your executive peers:

• What are the characteristics of a world-class IAM program. Will IAM eventually be rolled up into GRC?
• The Cloud introduces a new level of complexity and raises issues of federated trust. What business and security considerations should be given to managing identities in the Cloud?
• Intelligence is one of the pillars of IAM, but has received less attention than administration or access. Focused on auditing, monitoring and analytics, Identity and Access Intelligence (IAI) has a short time to value. How can business intelligence from IAI be leveraged to drive business process and performance improvements?
• Business-process issues often present bigger hurdles than technology. Discuss best practices in reengineering and piloting a new IAM process. Who should be involved in the project team?
• Selling Identity strategy in the C-suite – what are the secrets for making the business case to management, winning over colleagues and cutting through organizational politics and risk aversion? What metrics should be developed and reported to communicate the value of IAM projects?
• How must Enterprise Role Management and Entitlement Catalogues evolve to accommodate the new demands? What are best practices in roles-based access management?
• Discuss the role of Master Data Management in an IAM program. What considerations should be given to MDM when migrating information from one system to a new platform?
• IAM can seem like a Sisyphean task that never ends. A successful deployment for a large company can take anywhere from six months to two years. How can security practitioners stop the madness and tame the beast?
• What are the capabilities and limitations of IAM audit functions. Discuss the integration of IAM, SIEM and DLP. How does the integration make both systems more valuable.
• The value of service-oriented architectures is business agility. How might integrating IAM into SOA ease IAM deployments.

When Big Data Met Security: The Rise of Data-Driven Security Intelligence

Read Moderator's Summary

Moderator Jerry L. Davis Deputy Assistant Secretary for the Office of Information Protection and Risk Management Department of Veterans Affairs ISE North America Government Executive Award Winner 2009 Biography >

Advanced Persistent Threats are targeting the defense industry and enterprises alike in pursuit of details on mission-critical operations, intellectual property and other proprietary data. Such attacks have routinely defeated traditional approaches to information security, and show no sign of ending. Now, as organizations work to thwart security threats, secure the business and manage risk, they find themselves in an escalating arms race with unseen attackers. Many conventional methods for performing security risk analysis, however, are becoming more untenable in terms of usability and flexibility, and the process to determine which security controls are appropriate and cost-effective is often a complex and sometimes subjective matter.

It is suggested that better monitoring of databases, applications and information access and use is a way to combat the growing threat. The amount of data collected in the course of protecting information is already exploding, resulting in multi-terabyte and petabyte data environments for many enterprise organizations and government agencies. While monitoring on such a scale would generate enormous volumes of “Big Data” that could bury security teams, it could also present new opportunities to leverage “security intelligence” and move beyond the realm of the reactive to the proactive in managing security risk.

Dive deeper into the discussions and share your ideas with your executive peers:

• Can Big Data Analytics help prevent the next Operation Shady RAT? Are the technologies, processing capabilities and storage capabilities ready for prime time?
• Effective responses to threats hinge on a new breed of security analytics that make use of as much fresh and relevant data from as many sources as possible. What kinds of data and data sources – internal and external – would help security analytics experts detect anomalous patterns, and how are they being made available – today and in the future?
• What is the future of SIEM and what role will it play in achieving “real-time security intelligence”? Can SIEM technology evolve to support a Big Data approach to security analysis? How might integrating DLP assist in achieving security intelligence?
• It’s said that analytics will be a core element of all next-generation security platforms. What will be the nature of security analytics that enable security executives to take advantage of Big Data trends – whether by human analysis, or by analytics integrated within the platform?
• One of the emerging use cases of Big Data analytics and cloud-based computing models is the ability to ask real-time questions that cut across multiple platforms, logical entities and domains simultaneously to gain a bigger, richer picture of the security and risk environment. How else can Big Data be turned to an advantage?
• How will IT security and risk management be transformed by the opportunity presented Big Data Security Intelligence – or will it change at all?
• Discuss best practices for turning security intelligence into tactical intelligence and driving responsive use of the insight gained from analysis. What role might Collaborative Security Intelligence and Co-Opetition play in combating APT?
• Closing the loop on risk assessment, controls and security investment – how might security business intelligence be used to move from investment decisions based on intuition and estimates to cost-justified decisions based on risk models?

Parting the Clouds on Cloud Services: Security Watch in Effect

Read Moderator's Summary

Moderator Stacey Halota Vice President, Information Security and Privacy The Washington Post Company ISE Mid-Atlantic Commercial Executive Award Winner 2009 Biography >

Whether lauded as the most significant paradigm shift since the internet or regarded as marketing spin, one thing is clear: cloud computing is rapidly transforming the IT landscape and both government and commercial organizations are increasingly adopting cloud services for a wide variety of applications. Cloud services offer tremendous economic and operational benefits, including lower IT capital expenditures and operating costs, on-demand capacity, self-service provisioning, pay-per-use pricing models, increased functionality and flexibility, ability to scale and speed of access.

Despite Cloud Computing’s sunny forecast for operational efficiencies and economic gains, security executives still see dark clouds ahead. Traditional approaches to security do not translate easily to the cloud environment and cloud computing raises concerns related to security, governance, compliance and risk management. Questions about transparency, acceptable risk, disaster recovery, business continuity and actual costs savings abound. Top-of-mind cloud security issues now include: data breaches related to mobile device data, the need for better access control and identity management, ongoing compliance concerns, the risk of multiple tenants and the emergence of cloud standards and certifications.

Dive deeper into the discussions and share your ideas with your executive peers:

• Contracting for cloud computing: discuss the practices of cloud providers in terms of contract terms, charges for add-on services, service levels, warranties, data protection, security, liability, service suspension and termination.
• What steps can security executives take to ensure that service providers implement, deploy, manage – and report on – security at an appropriate level. What type of reporting should be available? Are breaches reported?
• When lightening strikes: There are plenty of examples of services that were shut down, changed hands or simply lost the data. What best practices should be used in evaluating a cloud services provider? What warning signs can signal stormy weather ahead? What recourse is there for lost data? What kind of insurance is available?
• As sensitive data gets moves to the cloud, what is the expectation of privacy issues and the impact of jurisdiction. What should never move to the cloud?
• What tough questions are you asking about the ability to define a security incident and receive reporting based on that definition, choice of where data is stored, visibility of the data, ability to copy data for back-up and data integrity and recovery. Do you like the answers?
• What is the impact of eDiscovery, regulatory compliance and auditing on the capability to move your organization to this environment? Discuss the ability to obtain forensic information.
• Not often in contracts or due diligence, but should be –  planning “divorce” should the “marriage fail.” Discuss exit strategies/off boarding from cloud providers.
• The Open Cloud Standards Incubator and the Cloud Security Alliance have worked to develop standards and promote best practices in cloud management and service provision. To what degree has the industry embraced open standards, easy migration and collaboration – are we still a long way off?
• What kinds of compliance-related activities does a provider need to adhere to, especially for the healthcare and financial services industries? What kind of certifications should they have? Discuss trustworthiness as a web currency.
• SAS 70 is not seen as a standard for evaluating cloud computing providers, yet it is provided as information in lieu of an audit or site visit. Discuss best practices in achieving transparency.

Day 2 - thur. November 17, 2011

Information Security: It’s All About the Data

Read Moderator's Summary

Moderator Thomas Dunbar Global IT Chief Security Officer XL Group ISE Northeast Executive Award Finalist 2010 Biography >

Big. Structured. Unstructured. Critical. Confidential. Proprietary. Classified. Public. In the Cloud. Of all the ways that enterprise data can be described, the one that keeps executives up at night is “lost.” Data loss is virtually impossible to stop and can damage an organization in countless ways, such as lost competitive advantage, lost revenue, litigation and damaged company reputation – not to mention direct clean-up expense.

Most organizations believe they aren’t in danger of losing data, but in today’s digital age organizations are operating in environments that are replete with risks. Workers are able to connect any number of consumer devices to a company network, post information on social networking sites, write to CDs and USBs at will, send emails and FTP in from outside domains. Disgruntled staff, tech-savvy contractors and dismissed employees may misuse privileged access, or gain unauthorized access, and exploit the data. On the other end of the spectrum, naïve employees and well-intentioned users inadvertently leak data through improper handling of sensitive data.

Further, the game is changing. Data itself is more complex, and smart phone growth is leading to an explosion of data available anytime, anywhere. As the platform to access the data becomes more important than the application or location of the data, security executives must extend their focus from the security of the infrastructure to the security of the data itself.

Haphazard privileged password management combined with a lack of internal controls, access restrictions, centralized management, accountability and strong policies all contribute to placing an organization at risk. Stopping data leakage requires behavior changes and often results in redesigning business processes.

Dive deeper into the discussions and share your ideas with your executive peers:

• What role does data governance play in preventing data leakage? Discuss what needs to happen in terms of data classification, policy and process definition, audits for data access and inventories of system access and credentials.
• Securing from the inside out: The first and last line of defense in protecting corporate information are the people in the organization. What are the best practices in educating – and incenting – the workforce? What defines a best-in-class awareness program? How can an organization ensure compliance?
• Some companies are taking drastic steps to lock down data at the source. Discuss the pros and cons in terms of business agility, employee productivity and enterprise security.
• Data Loss Prevention technology is promoted as a way to protect against data leaks and detect unauthorized access to sensitive information. What can reasonably be expected from a DLP solution? Is DLP the silver bullet? Why or why not.
• The DLP/DRM Conundrum: Competing? Mutually exclusive? Complementary? Discuss the pros and cons of each in security against data loss.
• Defining a data lifecycle is often overlooked. What factors should be considered in creating a comprehensive and enforceable data retention policy? Is one even needed?
• When data moves beyond the perimeter, DLP tools no longer have effect. How can organizations leverage administrative controls or alternative technologies to achieve airtight cloud computing? What is the role of SharePoint in information protection? Beyond securing SharePoint, how might organizations best use SharePoint to enhance information protection?

Vulnerability Management: Moving from Reactive to Proactive

Read Moderator's Summary

Moderator Phil Agcaoili Chief Information Security Officer Cox Communications ISE Central Executive Award Winner 2009 Biography >

Cybercrime has evolved from one-upmanship among script-kiddies to highly organized and sophisticated global criminal operations whose collective common objectives are to steal intellectual property, corporate data and money. Since January 2005, over 500 million records containing sensitive, personal information were involved in U.S. security breaches. While you are reading this, thousands of companies world-wide are being robbed by cybercriminals.

Cyber attacks on government agencies and commercial organizations are rising at meteoric rates and security executives are being drafted into combat on the front lines to battle hackers that are skilled and well-funded, think neither in terms of silos nor “start-and-finish” and will exploit multiple security weaknesses over an extended period of time to achieve the ultimate goal. In rising to the challenge, security executives must be as agile as the attackers, ask and get answers to the hard questions, move beyond the traditional “silo” mindset and see business information systems and networks through the eyes of the attackers. A mature vulnerability management program is critical for any security program to be successful. Implemented correctly, it can support a proactive versus reactive posture when it comes to security decisions.

Dive deeper into the discussions and share your ideas with your executive peers:

• Threat Vulnerability Management is just beginning to take hold as a concept. Is it the silver bullet for covering the entire landscape (operating systems, network devices, applications)?
• What are the potential consequences of having material knowledge of a vulnerability and failing to remediate? What are the best practices for driving accountability back to the business unit or systems owner?
• Managed services for vulnerability management can save money on capital expenditures and headcount while protecting against in-house biases or omissions from reports. What are the best practices in engaging consultants and service providers? At what point is it better to fund an internal “Red Team”?
• What are the best defenses against “Vulnerability Chaining”?
• Governance, risk and compliance. To what degree can vulnerability management facilitate compliance with industry regulations?
• What role does Security Information and Event Management (SIEM) play in vulnerability management?
• Security executives must be prepared to answer the ROI question about the business value of vulnerability management technology. What metrics and KPIs should be put in place to measure effectiveness and help to restructure security spending and direct future investment?
• Agent versus agentless vulnerability scanning – what are the pros and cons? Is there a middle ground? Is there a place for temporary agents; if so, when and where?
• Are the National Vulnerability Database, Common Vulnerabilities Exposure list and Common Vulnerabilities Scoring System adequate?  
• A common mistake is assessing a vulnerability without looking at the whole picture. What factors should be evaluated in assessing risk and evaluating vulnerabilities?
• What are the best practices for protecting against zero-day exploits? How can network hardening, security monitoring and defense-in-depth be leveraged to reduce the “attack surface?”

Social Media and Web 2.0 in the Workplace: RT@OMG Not UR BFF

Read Moderator's Summary

Moderator Tammy Moskites VP and Chief Information Security Officer Time Warner Cable ISE North America People's Choice Award Winner 2010 Biography >

Like it, Friend it, Share it, Tweet it, Retweet it, Surf it, Text it, View it, Post it, Upload it, or Hate it – Just don’t ignore it. The strong push of Gen-X and Gen-Y means that companies are not going to get by with saying “no.” An unstoppable force, social media has become firmly entrenched in the workplace, forcing employers to face a growing list of concerns stemming from employees’ use of outlets such as Facebook, Twitter, LinkedIn, YouTube or any of the many other Web 2.0 applications available for social networking.

While many companies have come to accept social media for recruiting, brand development, connecting with customers and partners and internal collaboration, the use of social media – both inside and outside the workplace – is not without its risks. While the most obvious problem may be lost time and decreased productivity, improper use and conduct can leave a company open to the exposure of personal data in the workplace; the release of corporate data to the public; the risk of identity fraud; and a host of security, governance and compliance challenges. Further, unsecured VPN gateways resulting from the use of Web 2.0 applications can introduce rogue traffic and malware. Now, with the proliferation of third-party applications for mobile devices, the complexity and diversity of security issues becomes even greater as users download unsecured applications.

Dive deeper into the discussions and share your ideas with your executive peers:

• Regulation of off-hours conduct gives rise to privacy issues. The balance between the rights of the employer versus one’s right to freedom of speech is unclear. Courts are increasingly finding that content on social media sites is discoverable in litigation. What are best practices for getting ahead of the situation?
• What real-world examples are you seeing that demonstrate how social media can be used appropriately with security in mind?
• Compliance as an inhibiter: discuss legal and compliance factors that may prevent a company from embracing the use of social media.
• The availability of social media applications on mobile devices makes site blocking futile. People lose phones and download insecure apps. What special considerations and precautions should be given to mobile devices and cell phone security?
• Inappropriate dialogue, illegal recruitment practices, impersonation: staff behavior can lead to any number of legal ramifications. What needs to be in an Acceptable Use Policy, and how can it be enforced? Who is responsible party: IT, Security, Legal, HR?
• What are the best ways to optimize employee productivity with web application and filtering controls?
• Keeping track of time – discuss ways to monitor and manage.
• Discuss best practices for methods to prevent information leaks and data loss.