Blog
Chairman, GDS International
Sales and the 'Talent Magnet'
A lot is written about being a ‘Talent Magnet’, either as a company, or as President. It’s all good practice – listen, mentor, reward, provide clear goals and career maps. Good practice for the employer, but what about the employee?25 May 2011
Playing it safe – Preparing for Worst-case Scenarios
Companies need to ensure defenses are up and constantly ready to battle against every worst-case scenario. But, asks Frances Davies, is enough being done?
Ask many organizations today what their top priorities are and they are almost certainly likely to mention security. This should come as no surprise: a recent RSA security conference in San Francisco attracted record attendance and included such high-profile speakers as Bill Gates, Larry Ellison and Colin Powell – a fitting testament to how much the issue of security is looming large on the corporate radar. Organizations increasingly find themselves in a position where they must relentlessly identify, prevent and, in the worst-cases, recover from an attack. According to a recent Senforce Technologies survey, 23 percent of respondents said their organization had reported a network security breach in the last 18 months, while another 25 percent admitted they didn't even know whether such a breach had occurred.
A breach can have a devastating effect on a company, and not just financially. It can also irreversibly damage a reputation and brand image that have often taken years to build. The recent revelation that TJX Companies, the parent company of retailers including TJ Maxx, Marshalls and Homesense, had lost the personal information of millions of its customers in what is thought to be the largest theft of consumer data in the US is one such unfortunate example. Astonishingly, this wasn’t the first time the company had compromised customer data; nine months earlier, another security breach had occurred. Not heeding the warning, the company failed to safeguard data and now has to overhaul its security procedures, apologize to millions of customers who bought goods between 2003 and 2006 and face significant legal action – 19 independent class action lawsuits have already been filed. Furthermore, the incident could spur federal disclosure legislation and increased scrutiny of corporate data management.
The case serves as a nasty reminder to others to neglect security at their peril; indeed, gone are the days when spending on security was seen as a minor expenditure. “The traditional view that security is an unnecessary cost, with little or no benefit to the organization, has gradually changed over the past few years,” stresses Doug Philbin, CIO at engineering and construction company Parsons Corp. “Virus attacks of a few years ago were the first impetus to changing this view. The more recent requirements to meet stringent government project execution standards and regulatory calls for increased confidentiality are the latest factors in driving home the importance of a sound security posture.”
Threatening behavior
Security breaches can inflict a dark shadow over the reputation of a company even if it has achieved a spotless track record in the past. Trust is a precious attribute for customers to have in a company so when it’s lost it is a difficult thing to recapture. “Our clients trust is our most precious asset,” acknowledges Paul Heller, CIO at Vanguard, one of the world’s largest investment management firms. “To that end, we have invested millions of dollars and countless human resources to mitigate these risks.”
Despite this investment however, each year brings a new set of challenges that organizations have to prepare themselves for. Spyware continues to be an enormous problem, as the profitability of gaining access to and then using personal data becomes more desirable to criminals. A recent survey by Webroot Software Inc. indicates that the magnitude of the problem is high, with more than 40 percent of the companies surveyed saying that spyware was causing business losses, while 26 percent of enterprises reported that confidential information had been compromised as a result of spyware.
Trojan attacks, system monitor attacks, pharming and keylogging are all tiresome threats that companies are forced to deal with on a regular basis. Even something as harmless as a social networking site can turn into a security nightmare, as there is a chance malware can be stored in these services. Visiting blogs, chat rooms and other social networking tools is a popular activity during breaks and lunchtimes, with a report by consulting firm Clearswift revealing that, out of more than 800 employees across a range of industries, more than half said they spent at least an hour a week accessing these kind of services.
Unsurprisingly, there are similarities between the security concerns of different companies. One of the biggest is the laborious job of identifying and then preventing attacks. In many cases, it’s a thankless task that hinders a company from actually getting on with real, value-adding work. The harsh reality is that as soon as one threat is quashed, another pops up – such as with hackers who move onto other vulnerabilities in a system as soon as one is patched over. “There is so much threat out there in the network today that administrators are spending a huge amount of time just struggling to keep up with every new threat,” says Tony Redmond, Vice President of Security at Hewlett Packard. “One CIO told me recently that a number of his company’s administrators do no useful work as they spend all day, every day struggling to deal with threats.”
In support of this account, a study by Nucleus Research and KnowledgeStorm found that two out of every three e-mails received by today’s businesses are spam. The result is the loss of valuable business time as workers struggle to contain the problem by identifying and deleting each pointless message.
Guessing games
As networks become increasingly complex, so it becomes harder to predict the likelihood of a new attack. As many organizations have operations all over the world, staff that are increasingly mobile and networks that are accessed by a multitude of users, it is all the more important to ensure that unauthorized users are restricted from gaining entry. “Parsons operates a diverse, global network infrastructure, with offices in the Middle East, Europe, Asia and the Americas,” says Philpin. “Many of these offices are shared with clients and partners, some of whom may be direct competitors to Parsons. In addition, we support an extremely mobile workforce that need access with appropriate levels of authentication to ensure that only approved people and devices are able to connect to our network infrastructure.”
Laptops, smart phones, PDAs and the like have certainly made life easier for many employees who need to travel as part of their job, but this increased mobility has also brought with it added security worries as a company’s applications can now be accessed from anywhere. There is therefore a need for strict policies and procedures. “CIOs understand that mobility is high and therefore need to consider how to have control over these devices so that if they are lost the sensitive data on the device can be wiped remotely,” advises Redmond. “They also want to be able to automatically and consistently assign policies to the devices so that, for example, users are forced to enter passwords before they can get at data. They need to be able to ensure that passwords are of a particular quality and that there are automatic timeouts so that if you don’t use the device for 15 minutes then a password blocker comes up. We will see more of these requirements coming through from CIOs as corporate security departments become more aware of the vast amount of sensitive data that is being carried around on these mobile devices.”
If the worst happens, business continuity is vital. However, a recent survey by the Xiotech Corporation revealed that although many companies are investing in IT to support business continuity, many of the respondents did not seem to have a good handle on the various risks that could affect their company. Only 49 percent of respondents indicated they had quantified the type and likelihood of risks that could impact their organization's ability to continue operating. Companies need to have a solid understanding of the spectrum of risk – something that isn’t always that easy to foresee. “Business continuity is definitely something we hear time after time as a challenge from CIOs,” says Redmond. “This involves knowing how to keep things going when you operate in a world threat. Disasters that could happen might include the radical infection of a network by a very virulent worm or virus that infects a large proportion of an infrastructure, takes servers offline and stops applications running. The overall impact of such an infection depends on the servers and the applications affected, but for most companies, an attack on their systems would be pretty dramatic. There is a need to come up with new and improved ways to resist an attack.”
Adding to an already complex task is the necessity to meet various regulatory and standards needs, covering information security standards and those introduced as a result of various corporate and financial data scandals. For instance, Sarbanes Oxley was introduced to guarantee integrity in accounting and reporting practices. Meeting compliance is a vast issue for enterprises to deal with, but it is vitally necessary in order to help protect information. “Internationally, there is a growing requirement for information security programs that conform to ISO standards, such as ISO 17799,” explains Philbin. “While there may be some technical measure that result from implementing these regulations and standards, they do not call for a purely technical solution. The ever-changing regulatory environment requires an appropriate policy structure, awareness that these policies may have to be tailored for specific environments due to conflicts between regulations and standards and, finally, alertness to changes in the pertinent regulations and standards.”
Technology
Updating procedures and technology along with constant training are all necessary steps to thwart a security threat. Companies have adopted diverse measures to ensure they do not become a target. “We have a broad plan in place that touches every aspect of security and we will continue to invest heavily in solutions that make sense for the enterprise and our clients,” explains Heller. “We’ve centralized our efforts within a security operations center that monitors our environment, and we’ve increased the number of people dedicated to security issues within the organization. We have invested in the best tools in the industry to monitor, protect and prevent security risks. And perhaps most importantly, we have improved awareness at all levels of the company about security issues, and risk management discussions take place at the most senior levels of management.”
These days it is pretty much standard practice for companies to have some form of anti-virus protection, filters to log or block outbound e-mail that might contain sensitive data, as well as strict authentication and verification tools. But listening to feedback could also prove to be a useful weapon in the CIO’s arsenal. “One of the best ways we respond to security issues, and more general technology needs, is by listening to our clients,” continues Heller. “We vigorously collect and act on client feedback.”
Deploying an encryption system that will act as a barrier to prevent information being read following the loss or theft of equipment containing sensitive data is another wise security measure. Parsons, is planning to roll out a system this year onto PCs containing the most sensitive corporate data such as business development, legal or financial data. “Our PC encryption project reduces the chance that PII data will be disclosed due to the loss or theft of an employee’s PC,” says Philbin.
Finally, network access control (NAC) solutions are able to limit the damage from security threats. At Parsons, hardware access controls are guaranteed by these kinds of tools. “Computing assets are interrogated by NAC to determine their validity and security posture before granting access,” says Philbin. “NAC policies can automatically deliver upgrades such as patches and anti-virus updates to bring computers into compliance.”
Reactive to proactive
Despite all these precautions, Redmond believes that there needs to be an overhaul in attitudes toward protection. “The reactive kind of management that we have seen so much of in today’s defense environment is struggling to keep up with the volume of threats,” he says. “Whereas people can continue to erect very strong perimeters with things like anti-intrusion devices, anti-spam, anti-virus, firewalls and so forth, the fact remains that the security infrastructures that we are building are so complex that it is easy to make a mistake. We have to move from reactive to proactive. This means that the devices we put on the network (network switches, routers, servers, workstations, PCs) have to be capable of protecting themselves at least against simple attacks and then gradually, over time, complex attacks.”
According to Redmond, the perfect scenario would be for technology to be able to detect and then warn administrators of a problem so that they are able to take action to fix the problem. Currently this concept is still in its infancy. “We are still not at the level of sophistication that we should be because administrators are still taking manual steps to fix the problem,” he explains. “It would be good to reach a stage where we have the ability to self-heal after an attack and to be more self-repellent so that we don’t even allow the attacker onto the network component. Today we have to allow it in before we can even identify its presence. The switch from active security management to proactive security management seems to be a very good approach to solve the problem. We can’t let the situation go on, we must be more resilient in the future.”
Most company’s now understand the harshness of the security threat epidemic. It is a plague that is here to stay and one that is virtually impossible to completely eradicate. Good security planning can certainly go a long way to reduce the risk, although it takes a great deal of organizing, a highly structured approach and commitment throughout the company to achieve tight security. Despite this, and even with the best intentions, the constant evolving nature of threats means that nothing is guaranteed.
“The traditional view that security is an unnecessary cost, with little or no benefit to the organization, has gradually changed over the past few years”
Doug Philbin
“One CIO told me recently that a number of his company’s administrators do no useful work as they spend all day, every day struggling to deal with threats”
Tony Redmond
“Our clients trust is our most precious asset; to that end, we have invested millions of dollars and countless human resources to mitigate these risks”
Paul Heller
23 percent
Companies reporting a network security breach in the last 18 months
25 percent
Companies admitting they didn't even know whether a data breach had occurred
Four before bedtime
Allison M. Everett, CIO of Kelly Services and Rick Gonzalez, CIO of Land America, identify four security issues that keep them awake at night.
Data leaks and data access
Loss of data, even when accidental, can be a disruptive and costly ordeal for any company. “A number of years ago I was doing some consulting work for a company and many of their customer records accidentally found their way into the public domain,” recalls Gonzalez. “This incident consumed the company for about two months. We have a pretty comprehensive program of safeguarding things here, but it is a major concern.”
Finding a happy medium between protecting data without restricting access to authorized personnel is a tricky task, and a solution is often hard to find. “Controlling access to proprietary and sensitive data as it spreads outside the boundaries of traditional company controls is one of our biggest concerns,” says Everett. “We need to balance the accessibility of data with our responsibility to protect it appropriately. Data spreads outside traditional controls in a number of ways, such as personal devices and electronics, use of personal web-mail, use of ASPs and other internet hosting services and an increasing drive toward a mobile workforce.”
Along with actual staff taking precautions, there is also the additional security dilemma of people who work for the company, but are not actually part of it. These include attorneys and insurance agents who need a level of access to a company’s systems. Unsurprisingly this is an added concern for Gonzalez and his team: “This poses a challenge as we can’t completely control their environment. There are strict sign up procedures and strict vetting of these people, but this is something that requires careful management.”
Governance
Complying with regulations is an added inconvenience when it comes to safeguarding data. The situation isn’t helped by the complex myriad of laws and requirements that need to be met. According to a recent IBM survey, 64 percent of CIOs surveyed see security compliance and data protection as one of the most significant challenges facing IT organizations. Currently, according to Everett, there is a need for standardization across the board. “There are many state laws, plus numerous international laws pertaining to specific controls of certain data types. These controls affect where data must be stored and, who has access, and so on. The landscape of privacy laws is cluttered, and keeping track of them is challenging.”
Sarbanes Oxley, the regulations introduced in response to several financial and accounting scandals, notably those at Enron and WorldCom, has had an unparalleled effect on companies throughout the country ensuring that they behave in a far more honest and transparent way. “The Sarbanes Oxley regulations have demanded that we pay a lot more attention to safeguarding particularly when it comes to locking down our financial information and the access to our financial systems,” highlights Gonzalez. “This is something that didn’t exist five years ago. Now we are virtually forced by legislation to address these issues.”
Hacking and zero-day threats
The continual growth of the hacker community is another key problem. Luckily, Gonzalez is a dab hand at dealing with this kind of incessant menace. “I used to work for the NASDAQ stock market for a number of years and this used to be a prime target for every hacker in the world. We are not as much of a target but we still get run-of-the-mill viruses coming through. There is a need to be really diligent about your patch management and your virus protection programs. We are extremely diligent with them. Those are the main things that we think about in terms of security.”
Zero-day threats are another aspect of security that Everett and her team need to pay close attention to. Zero-day attacks are increasingly damaging networks, striking at any holes or vulnerabilities that have, as yet, no solutions. “The length of time between the discovery of a vulnerability and the ability to exploit is has decreased from almost one year in 2001 to just a few days today – if we’re lucky,” identifies Everett. “The number of zero-day exploits is growing, and even today there are many known vulnerabilities that have no patch available.”
Mobility
Mobile devices such as laptops and PDAs are a godsend for employees who have to travel, but still desperately need to access email etc. However, despite the luxury of increased mobility these kinds of devices if lost can cause havoc if any of the sensitive data they contain falls into the hands of unscrupulous people. Even the most reliable people can become distracted and forget or lose an important piece of equipment. “Lost or stolen laptops – or other mobile devices – especially those containing potentially sensitive data is another challenge,” warns Everett who suggests that encryption may be helpful. “Disk encryption can mitigate this, but encryption can also create its own set of challenges.”
Ensuring employees are aware of security procedures is a must therefore employees at Land America must annually make sure they are up-to-date and understand the security expectations of the company. “General security awareness on the behalf of our employees is an issue we are concerned about,” says Gonzalez. “Many of our employees have laptops computers and go off site. We also have mobile workers using PDAs. We have a program that requires employees to read a fairly extensive security related policy that outlines the do’s and don’ts of what you are allowed to do and what you are not, just so they are aware of our security program. They then need to sign it every year.”
Inside security
Sprint Nextel’s CIO Richard Lefave gives his insight into the security practices that are making a difference at his organization.
BM. What are you priority security issues?
RL. Customer privacy is probably number one on the list along with the basics of Sarbanes Oxley compliance and the associated regulations. We pay a lot of attention to payment cards and securing information as well as ensuring anti-virus protection. We also make sure we have the appropriate access for customers when it comes to using the systems.
BM. What technologies are helping to tighten security and make your job easier?
RL. There are two parts. First, there is the old fashion way, which involves basic access whether on the physical or the procedural side. Certainly anti-viral software has made the job easier. We keep anti-virus software active and monitored to ensure that it meets compliance requirements so that our systems (mid-range, enterprise or desktops) are synchronized and protected. Providing database encryption along with protecting the hardware is very important.
Access control is also something we take seriously. This makes sure that people who are supposed to get into the system actually do. Having an identity management process for protection is very important. At the back end of this is audit logging – this makes sure we have a mechanism to valuate the people who are accessing the system. We also have to ensure that this meets regulatory compliance.
BM. Would you say that in general security is the top priority today for organizations?
RL. I would say so. At the end of the day it is almost imperative that a company provides a trusted environment for its customers. We have a compliance group that focuses on this and ensures that the policies and regulatory laws are followed explicitly. We focus on requirements and also make sure that our internal policies are being adhered to. We look at a variety of basic security activities around the country to see if we are in compliance, whether it be in our industry or outside, so that we can enhance ours and make it even better. Benchmarking activities are very important and we work within our own industry with various different agencies to help make sure we have great compliance
More like this...
-
Succeeding with Business Transformation?
By Colin AshurstRead more -
How to Improve Top Line Visibility and Lower Yo...
An Entirely New Approach To Managing Revenue Recognition is the KeyRead more -
Moving Towards Content Intelligence
Experts predict that the next wave of business intelligence solutions will need to encompass enterprise search and content management functionality if they are to meet the...Read more -
The Game is Up
Grace Borelli, Managing Partner at global executive search firm Christian & Timbers, takes a look at boardroom politics and how to manage them.Read more -
Oracle: Setting Security Standards
By John Heimann, Director of Security Program Management, OracleRead more -
Getting the Best Out of your Finance System
FEW finance professionals would deny that information technology is vital to executing strategy and delivering value.Read more
Source: www.busmanagement.com© 2012 GDS Publishing Ltd. All rights reserved.