ISE® Northeast executive forum 2010

The Dark Side of Industry Consolidation: Mapping a Safe Path Through Vendor Consolidation

  Discuss this topic on Facebook      Read Moderator's Summary

Guest Moderator Jim Routh Global Head of Application Security JP Morgan Chase Biography >

The security technology industry is consolidating due to mergers and acquisitions, resulting in fewer but larger players. While there are many drivers that attract one company to buy another, a common force currently driving consolidation is that larger vendors are looking for ways to provide broader, end-to-end solutions that go beyond what they can assemble in-house. Acquisition offers a way to leverage the trend toward a greater user preference for best-of-breed components while defending their positions as end-to-end solution providers.

While these are clear benefits, vendor consolidation is not without its dark side. What may happen to the acquired vendor and its technology is often an open question. Vendor consolidation impacts vendor relationships, technology direction and customer support; elevates concerns about the safety of existing and new investments; and adds uncertainty and risk that is best to be avoided.

Dive deeper into the discussions and share your ideas with your executive peers:

• What are the best practices for protecting your company before bringing a best-of-breed technology in-house. What due diligence should be performed, what hard questions should be asked.
• Legal can be your best friend. How can contracts be leveraged to ensure optimum protection of technology, security, services and support.
• How can organizations map a safe path though vendor consolidation. What are strategies for handling vendor relationships going forward.
• What are the potential benefits to be gained as a result of a technology acquisition and becoming a customer of the acquiring vendor.
• Do you stay or do you go? At what point do you create an exit strategy and make the call to depart ways.

Trends In Identity and Access Management: Transforming Security into an Enabling Function

  Discuss this topic on Facebook      Read Moderator's Summary

Guest Moderator Mark Coderre Head of Security Architecture Aetna Hartford, CT Biography >

The digital world is dramatically altering the way business gets done, resulting in numerous security challenges for organizations. The internal corporate network is now a connected web of people and devices as more employees work remotely; and partners, customers and vendors are given access to corporate systems and sensitive data. This connected business model many times means managing access for users the company knows little about. To complicate matters, cloud-based applications are on the rise, bringing more challenges to managing user security. Layered on top of these business considerations is the requirement to meet industry-specific standards and comply with regulations such as HIPAA, SOX and PCI. Businesses must prove accountability around data access and management.

As businesses mature, they must be able to manage rapid change, establish effective formal governance, and provide accountability through transparency. Identity and access management and compliance solutions form the cornerstone of an organization's governance, risk and compliance strategy and serve as a basis for transforming security into an enabling function. Implementing these programs can be complicated and time-consuming, but enterprises may be able to simplify the process and make tangible contributions to enterprise business goals if they consider vendors that are developing ways to integrate IAM offerings with other compliance solutions.

Dive deeper into the discussions and share your ideas with your executive peers:

• What are the characteristics of a world-class IAM program. Can IAM, IT and the enterprise peacefully co-exist.  What does the future hold for IAM as it evolves.
• What role does identity management play in the cloud. What are the differences between traditional IAM and cloud computing IAM in terms of drivers and requirements. How are solution providers addressing cloud IAM needs.
• What are the best ways to articulate the business value of IAM programs. How can you develop a framework to link security and IAM strategy to business strategies.
• Discuss the emerging integration of IAM and DLP. What are the ways that IAM enables DLP, and vice versa. How does the integration make both systems more valuable.
• What are the capabilities and limitations of IAM audit functions. Is security information and event management technology an answer. If so, how can SIEM technology be used to fill IAM audit gaps.
• The value of service-oriented architectures is business agility. How might integrating IAM into SOA ease IAM deployments.

The Consumerization of IT:  Better Known as BYOT (Bring Your Own Technology)

  Discuss this topic on Facebook      Read Moderator's Summary

Guest Moderator Bradley Maiorino CISO, GE Corporate Division General Electric (GE) Biography >

Consumer technology's momentum has reached a dizzying pace. The estimated number of application downloads in the Android market, for example, passed the 1 billion mark in mid-2010. With the emergence of a multi-generational workforce, boundaries between work and personal technologies are diminishing. The newest generation of workers, for example, grew up using personal computers, laptops, mobile phones, iPhones, iPods – and now iPads. Technologies originally aimed at consumers, such as thumb drives, instant messaging, smartphones and handheld audio and video players, are now at home in the business world.

While the use of consumer technology can spark innovation and enable business on many levels, the unsanctioned and unmanaged use of consumer technologies can present serious risk and raise numerous security concerns. As if the security issues weren’t enough, the legal ramifications of intermingled business and personal use can be even more troubling. What happens when employee blogging gets out of control? Who owns the device? Who owns the data? The concerns are legitimate, but a power shift is underway and security executives can no longer afford to ignore consumer electronics and dismiss the trend.

Dive deeper into the discussions and share your ideas with your executive peers:

• The rank and file are often the first to understand how new technology can transform a business. How can a company assess the risk and govern its use without stifling innovation?  What policies -- particularly security policies – should be implemented to govern the use of consumer technologies in a business setting?
• Consumer technology is recognized as being beneficial to businesses. What technologies should a company “green-light”? What technologies, if any, should be blocked altogether? Is there a middle ground?
• What are the legal ramifications of mixing business with personal. Who owns the device? Who owns the data? What happens when an employee leaves?
• The use of personal technology instead of company-supplied technology can present a cost saving to the business. Is it worth the trade-off in security? Should an employee be compensated for using personal technology to enable business?
• It’s said the discussion about consumer tech is a microcosm of a much larger one: whether IT is going to have to relinquish control almost entirely to users. Yes? No? Maybe?

Outsourced or Outsmarted: How to Avoid the "Gotchas" in Outsourcing

  Discuss this topic on Facebook      Read Moderator's Summary

Guest Moderator Roseann Larson Vice President of Global Information Systems – Risk Management and Compliance Estee Lauder Biography >

It seems like a win-win: Outsource that non-critical function, save money, increase efficiency, tap into deep expertise and reap the rewards of having your IT teams focus on mission-critical work. But along with the benefits comes the need to provide outsourcers with access to sensitive corporate assets.

From offshore to near shore, front office to back office, network monitoring to HR, security challenges surface whenever business processes are moved outside of the confines of the firewall. Whether it be legal liability, compliance issues, brand risk or customer concern, the more eyes and hands you have on your data, the greater the risk of something going wrong. This problem is magnified by the fact that your data may be stored on many different computers and the people accessing your data may well be on the other side of the world.

Data risks and security challenges are an inherent problem for companies that outsource. While most outsourcing firms are trustworthy and responsible, some aren't. As the saying goes, “you can outsource anything except your liability.” So how do you align your outsourcing effort with business goals while protecting the data?

Discuss in this roundtable:

• What are some of the functions that organizations continually outsource that they shouldn't.
• Recognizing the red flags – what due diligence should you do and what are the warning signs you should heed in making outsourcing decisions.
• What best practices can organizations adopt to ensure control is maintained over the security of the company, its data and its operations.
• Negotiating contracts and service levels agreements – what are some of the “gotchas?” To what extent can you expect a vendor tailor its service offerings to your requirements.
• What are the earmarks of a good audit process and how deep should it reach into a vendor’s operations. Can you, should you, audit your vendor’s vendors? If so, how.
• What steps need to be taken to ensure adherence to privacy laws and state and federal regulations and industry standards.
• What are the prominent causes of failure, and how can you avoid the traps and pit-falls.

Secure Social Networking: Is there an App for That?

  Discuss this topic on Facebook      Read Moderator's Summary

Guest Moderator Deborah A. Snyder Chief Information Security Officer NY State Office of Temporary and Disability Assistance, Division of Legal Affairs Biography >

Facebook, Twitter, LinkedIn, YouTube, MySpace. Love it or hate it, social media is part of the business world and it’s here to stay. Social media empowers businesses to build a brand, expand their reach, connect with customers and partners and facilitate the “flow of business.” While leveraging online communities presents great opportunities, many security executives express frustration over the dilemma of how to make social media available for business reasons without exposing themselves to unnecessary security risks.

Employees toggling between “friending” on Facebook and “businessing” on corporate systems  leaves a company open to the exposure of personal data in the workplace; the release of corporate data to the public; the risk of identify fraud; and a host of security, governance and compliance challenges. A perfect storm is brewing between the number of people using social media and the increasingly sophisticated malware attacks being launched to prey on the data. Now, with the proliferation of third-party applications for mobile devices, the complexity and diversity of security issues become even greater as users download unsecured applications and use mobile devices for personal reasons. Financial firm USAA, for example, allows customers to deposit a check from their mobile phones by using a "remote capture" of an image of the check.

Discuss how executives, security teams and vendors are developing technologies and best practices to prevent the inappropriate exposure and exploitation of personal and corporate data through social computing.

• What are the key drivers for developing a strategy for an organization around social networking in today’s blended environment.
• Gaining an understanding of social-application governance: what are the best practices and “gotchas” in building a social governance program that fits your organization’s culture and industry.
• From a lost phone to an insecure app, what special considerations and precautions should be given to mobile devices and cell phone security.
• What are the types of policies to build into your secure web gateway program—from application white listing, content filtering, etc.
• What are the best ways to optimize employee productivity with web application and filtering controls.
• Discuss best practices for methods to prevent information leaks and data loss.

Securing The Cloud: Is it Possible?

  Discuss this topic on Facebook      Read Moderator's Summary

Guest Moderator Linda Cooper Angles Corporate Information Security & Governance Officer The Guardian Life Insurance Company of America Biography >

The benefits of cloud computing—accessing your data and applications stored on remote hardware by way of the Internet instead of keeping it all in your local workstation—still requires a leap of faith for many. But now that a workstation can go anywhere as a smart phone, a stripped-down Net Book or even an e-book reader, it's practically a virtual desktop operating in conjunction with a virtual server.  If the user can be anywhere, so can the source for data and applications.  Cloud computing represents a significant opportunity for enterprises to increase flexibility, gain access to best-of-breed applications, add capacity on demand and boost infrastructure resources – all at negligible cost.

As more information on individuals and companies is placed in the cloud, attention must be turned to how safe an environment it is and how we assess security and perceive risk. In the cloud, it’s difficult to physically locate where data is stored. While the cloud provider is the custodian, the data owner is still legally responsible for protecting the privacy and integrity of that data. Further, the “richer the pot of data,” the more attractive it is to cyber crooks. Security processes, once visible, are now hidden behind layers of abstraction. Even the most basic tasks, such as applying patches and configuring firewalls, may become the responsibility of the cloud operator, not the end user. While the intent of security remains the same - to ensure the confidentiality, integrity and availability of information - cloud computing shifts control over data and operations.

Dive deeper into the discussions and share your ideas with your executive peers:

• What best practices are emerging as organizations work their way through the “loss of control” issues as information is moved to a third party provider.
• What steps can security executives take to ensure that service providers implement, deploy, and manage security at an appropriate level.
• As organizations increase the number of cloud applications, the risk of undetected zombie accounts and over-privileged users increases dramatically. How can security executives take the pain and complexity out of user provisioning and management for cloud applications and keep control “inside the firewall.”
• As sensitive data gets moves to the cloud, what is the expectation of privacy issues and the impact of jurisdiction.
• What tough questions are you asking about data integrity and recovery; do you like the answers?
• What is the impact of e-discovery, regulatory compliance, and auditing on the capability to move your organization to this environment.
• What benefits and successes are organizations seeing; are the risks worth the rewards.