NOUVEL Blogs > Management Awareness

Deloitte 2010 Financial Services Global Security Study

Thu, 1 Jul 2010 07:00:32 +0200

On Jun 17, Deloitte Touche Tohmatsu released their 2010 Financial Services Global Security Study. This is the 7th annual report issued by Deloitte’s Global Financial Services Industry Practice. There are a few cosmetic differences from the 2009 report that were initially confusing:
• title changes: the 2009 report was titled the 6th Annual Global Security Survey. The 2010 report is a “study”, not a “survey”, and “2010 Financial Services” has replaced “6th Annual”.
• size change: the 2010 report is 40 pages long—seemingly 33% shorter than the 60-page 2009 report. Rest assured, the smaller size is the result of a more compact graphic design and smaller informational graphics.
This year’s study is subtitled “The Faceless Threat” and it includes a discussion of cyber warfare and cyber crime, both topics on many national agendas. The study also includes a fascinating geographic analysis of security practices: the Asia/Pacific region (excluding Japan) has the best practices overall; the Middle East has the worst. The analysis includes social and cultural factors that may be driving the geographic variation—important reading for anyone working in a multi-national environment.
I found three results from the study particularly interesting: barriers, metrics, and challenges:
Major barriers faced in ensuring information security
• 36%: Lack of sufficient budget.
• 31%: Increasing sophistication of threats.
• 24%: Emerging technologies.
Although the top three barriers listed are the same as in 2009, the percentages have dropped. The next three barriers are new for 2010:
• 21%: Lack of visibility and influence within the organization.
• 19%: Lack of support from lines of business.
• 19%: Lack of clarity on mandate, roles, and responsibilities.
Clearly, the study demonstrates that the largest barriers in ensuring information security are organizational–not technical or external. This may be changing: in the study’s foreword, Adel Melek notes that the percentage of organizations reporting a lack of sufficient budget (36%) is the lowest in the history of the study.
Measuring and demonstrating the value and effectiveness of the information security function’s activities
• 7%: Do not measure (down from over 40% in 2009).
• 25%: Have established metrics that have been aligned to business value (up from 0% in 2009).
This is a huge shift, indicating that most security professionals are figuring out that the way to counter a lack of visibility and support within the organization is with data about the effectiveness of their security efforts.
Top internal/external audit findings
• 38%: Excessive access rights.
• 31%: Excessive developers’ access to production systems and data.
• 31%: Insufficient segregation of duties.
Top audit findings give a good indication about the most difficult challenges facing large organizations. It also gives an indication about what auditors think is important—and by extension, what your security program should address as well.

Information security surveys by the big four auditing firms (Deloitte Touche Tohmatsu, Ernst & Young, KPMG, and PricewaterhouseCoopers) provide an invaluable resource for organizations trying to improve their information security strategy. They highlight the direction that organizations are moving, where organizations are having successes, and where they still face challenges. I encourage information security professionals to read Deloitte’s 2010 Financial Services Global Security Study and share it with their management.
—Jim Herbeck

PWC Information Security Breaches Survey 2010

Tue, 1 Jun 2010 07:00:48 +0200

On Apr 28, PricewaterhouseCoopers released the Information Security Breaches Survey 2010, during the Infosecurity Europe conference in London. PWC has been performing the survey on information security practices and incidents in the UK every few years since the early 1990’s, typically on commission from the UK government. This year the survey was commissioned by the Infosecurity Europe event. Although the survey is based on data from UK companies, I think the trends observed can be generalized for multi-national businesses operating in other parts of the world as well. (In my own experience, British businesses tend to have more information security awareness than businesses in many other parts of the world.)
The 2010 survey’s executive summary offers dramatic comparisons to results from the 2008 survey:
• for small businesses, the number of security incidents doubled from 2008 to 2010. For large businesses, the number tripled.
• for small businesses, the average cost of a respondent’s worst incident of the year doubled from 2008 to 2010. For large businesses, the cost tripled.
Equally interesting were some new questions on the 2010 survey:
• 46% of large respondents had staff lose of leak confidential data.
• 68% of large respondents have been asked by their customers to demonstrate their compliance with security standards.
For internal risk assessments, it’s often difficult to quantify the cost of being compromised–essentially, the cost of not effectively protecting information assets. Studies such as the Information Security Breaches Survey provide hard data for management about the value of a well-implemented risk management and information security program. I encourage information security professionals to read the report and share it with their management.
—Jim Herbeck

IPv6 Wakeup Call

Sat, 1 May 2010 07:00:44 +0200

Part of information risk management includes capacity planning: controlling the risk of outages, instability, or degraded service due to inadequate planning for future needs.
Articles published last month were a wake up call for organizations that don’t have a strategic plan in place for how they intend to migrate to Internet Protocol version 6, or as it’s more commonly known, IPv6. Without a plan, there’s a risk of network instability as the change from IPv4 to IPv6 occurs. And that date is now getting closer.
In Apr, the Organization for Economic Co-operation and Development (OECD) issued the report “Internet Addressing: Measuring Deployment of IPv6,” noting that as of Mar, 2010, only 8% of the available 4 billion IPv4 addresses are still unallocated.
To help put that into context, INTEC Systems Institute created the “IPv4 Exhaustion Counter” (shown to the left). Based on the rate of address allocation requests, the counter dynamically displays the date when the Internet Assigned Number Authority (IANA) will run out of IPv4 addresses, estimated to be sometime in Sep, 2011. At that point, the Regional Internet Registries will continue to allocate addresses from their “inventory”, which is estimated to be exhausted by Apr, 2012.
Although the OECD report is fascinating reading—it’s too detailed for most non-technical managers. Fortunately, there have been recent articles that put the report into perspective that businesses can understand.
Carolyn Duffy Marsan’s article “Reasons for supporting IPv6 continue to pile up” in Network World discusses the practical implications: “only 5.5% of the world’s addressable IP networks can handle traffic over IPv6.” And although some major website operators, such as Google and Netflix, are adopting IPv6, only 1.45% of the world’s 1,000 most visited websites presently support IPv6.
In ComputerWorld, Robert L. Mitchell interviewed John Curran, the president of the American Registry for Internet Numbers (ARIN). One question addressed a crucial issue: “Sounds like an ISP problem. Why should businesses care?” The answer is nuanced. Through transition mechanisms called “translation” or “tunneling,” it should be possible for your IPv4 customers to connect to your IPv4 website after the switch to IPv6—assuming the translation and tunneling are properly configured. The deciding factor may come down to performance: all the new growth and developments will be happening on the IPv6 part of the Internet. Who wants to be left sitting in a slower moving “Internet backwater?”
Curran also reminds us that all the major operating systems, routers, and firewalls already support IPv6. The challenge will be configuring and enabling what already exists. Another interesting question is what other infrastructure may need to be changed: for example, most help desk software understands an IPv4 address (192.168.23.142), but may need to be changed to understand an IPv6 address (3ffe:0501:0008:0000:0260:97ff:fe40:efab).
For organizations the need help creating a migration plan, IPv6 Act Now can provide valuable assistance. For enterprises, they suggest six points to consider:
- Check that your Internet Service Provider (ISP) can fill your IPv6 requirements
- Organize IPv6 connectivity and address space
- Carry out a hardware and software audit to determine the compatibility of existing technologies with IPv6
- Configure your routers, other hardware, operating systems and applications before IPv4 addresses run out
- Train staff to deploy and manage IPv6
- Rewrite any of your own applications that store IP addresses to be IPv6 compatible
A final point from IPv6 Act Now: “the longer a business waits to adopt IPv6, the more expensive it will be.”
—Jim Herbeck

PWC Global State of Information Security 2010

Thu, 1 Apr 2010 07:00:22 +0200

In mid-2009, CIO magazine, CSO magazine, and PricewaterhouseCoopers conducted the seventh-annual “Global state of information security” survey. With over 7,200 respondents from 130 countries, it makes for interesting reading.
The results were published in Bill Brenner’s article “Why Security Matters Now” at cio.com on Oct 15, 2009. A reprint from CIO magazine entitled “Why Security Matters Again” is available as a PDF online. The survey was published more recently as “The Global State of Information Security Survey 2010” at the PricewaterhouseCoopers website.
The survey notes four trends:
• Trend #1: The promise and peril of social networking
• Trend #2: Jumping into the cloud sans parachute
• Trend #3: Insourcing security management
• Trend #4: A new corporate commitment
I particularly liked the discussion of how businesses should balance the risks of new technologies (such as social networking or cloud computing) with business requirements. While aspects of the technologies may be compelling, it’s still the business’s responsibility to ensure the security of information assets. The list of computer security risks associated with cloud computing (below) would be a good starting point for any discussions you have with management about “cloud security.”
Cloud Computing Security Risks

from “Why Security Matters Again,” CIO Magazine reprint, p. 5
This report is an excellent, authoritative source for a 4-6 slide “Management Awareness” presentation for your senior management. In the report’s final paragraphs, it notes that the executives surveyed “have agreed, finally, that security can’t be ignored.” Hopefully, your senior management will be in agreement.
—Jim Herbeck

E&Y 2009 Global Information Security Survey

Mon, 1 Mar 2010 07:00:07 +0100

In case you missed it at the end of 2009, be sure to read Ernst & Young’s 12th annual Global Information Security Survey, released Nov, 2009. The title for report, “Outpacing change,” will resonate with many information security professionals. The 28-page report and a press release announcing and summarizing the report are available online from Ernst & Young.
When talking to senior management about information security, I like being able to reference reports produced by the big four accounting firms. Even if senior managers don’t care what their information security staff thinks, they do pay attention to what their external auditor may be thinking about information security, as it may affect this year’s audit.
One early observation from the Ernst & Young report is that “information security is not immune to external economic forces and must find ways to improve efficiency and effectiveness while keeping spending to a minimum.” Being able to demonstrate how your security program has improved its efficiency in 2009—in line with Ernst & Young’s observation—could be an important reassurance to offer management.
From another section of the report, it may be important to inform your senior managers that 50% of 1,900 survey respondents indicated that “improving information security risk management is the top security priority over the next year.” If that’s not the current thinking in your organization, management may want to consider how they will justify this lack of interest, if asked by their auditors.
Finally, depending upon the objectives for your security program in 2010, there are many “gems” in the report. For example, if your organization faces challenges getting the HR and IT Department working together to create a functional termination policy and process, consider that the survey found that “75% of respondents revealed that they are concerned with the possible reprisal from employees recently separated from their organization.”
Information security surveys published by non-IT or non-information security sources are influential with senior management. They’re also usually written in non-technical language that’s easier to understand. Make sure you don’t miss the opportunity to share reports like this Global Information Security Survey with your senior management. Consider preparing a 4-6 slide presentation that summarizes the most relevant points of the report and offering to present it at your next “Management Awareness” session.
—Jim Herbeck