CIOs have added a new word to their professional dictionaries. "The verb 'Targeted' has now entered the CIO lexicon," Peter Burris, analyst at Forrester Research, said at the recent MIT Sloan CIO Symposium in Cambridge, Massachusetts. The reference to the 2013 Target Corp. breach represents a subtle change in how IT is talking about security and risk management these days. But there's another CIO locution he has picked up on that suggests...
a bigger change in how CIOs view the state of enterprise security, namely: We've already been breached; we just don't know it yet.
The language reflects a new pragmatism on the part of the executives in charge of information strategy, according to Burris: "Protect everything" has given way to figuring out how to protect a company's most valuable assets once the inevitable happens.
What CIOs may not know is that their C-suite peers need to be let in on their new world view. This was evident at another recent gathering of top corporate executives here in the Boston area -- the 2014 CFO Technology Conference. Sponsored by the Boston chapter of the CFO RoundTable, attendees peppered IT security experts on the topic -- from basic questions on breaches to specific inquiries on how to establish security in a software as a service (SaaS) world. Here are five questions attendees had.
1. When is enough security enough?
"That's a risk culture discussion," Harold Moss, director of security, strategy and emerging technology at EMC Corp. in Hopkinton, Massachusetts, said. "Every organization has a different risk appetite." While that's true, he suggested businesses consider regulatory constraints as well as non-regulatory factors, such as how much damage a breach can cause the brand. Just look at Sony. The company's 2011 breach of its online gaming network cost a pretty penny, but Sony also sustained damage to its reputation, which resulted in the loss of both customers and employees, he said. "You need to stop, step back and say, 'What is this really going to cost the organization?'"
Smaller organizations may have an easier time than their larger counterparts in drawing the "enough is enough" line. Larger organizations must sort out with data owners and those responsible for business operations what data they have, what the realistic risk to that data might be, and how much it costs to protect that data, according to John Worrall, chief marketing officer for CyberArk Software Inc. in Newton, Massachusetts. "It's really difficult to get all of that information," he said, but especially for large organizations with many decision makers.
2. Can IT do an inventory of all the apps (e.g. Dropbox and Basecamp) employees are using at work?
Moss pointed to companies, such as the Los Altos, California-based Netskope, which give businesses insight into their employee app inventory. The software sits outside of a company's firewall and "tracks where people are going," what apps they're using and who is using them most frequently, he said.
CIOs at the MIT Symposium got similar advice on how to track app usage. Brian Lillie, CIO at data center provider Equinix Inc. in Redwood City, California, pointed to a whole host of startups popping up in this space, such as Cupertino, California-based Skyhigh Networks. "They do a risk score across almost 40 attributes by cloud services," he said. One better? CIOs can approve and even block usage of an application using the technology.
3. How can organizations shut down access to SaaS applications once an employee leaves?
"A lot of these applications have audit trails," said Gil Zimmerman, CEO and co-founder of CloudLock Inc. in Waltham, Massachusetts. IT can either "weed through" the audits manually or invest in a tool to keep tabs on who's using what and where. But SaaS audits aren't just for employees making an exit.
"It's about people moving inside of your organization," Zimmerman said. When he worked at EMC and transitioned from managing investor advocacy programs to another department in 2003, he retained his original permissions, which gave him access to information he no longer should have had access to.
"Permissions are easily granted, and it's rare they are revoked," Zimmerman said. "You have to actively be looking at who needs access to what all of the time." In other words, think compartmentalization. (For the record, that issue at EMC has been corrected, Moss said.)
SaaS audit tools are part of the equation -- but only part, Moss said. When he helped standup Pivotal Software Inc., an EMC company striving to provide a next-gen enterprise computing platform, he embraced what has become an IT security mantra: "Trust but verify."
"One of the first things we did is we started with identity, because that's the center of gravity," he said. From there, Moss "federated out" to other applications, such as Gmail, by building in authentication layers with single sign-on and gateways. The reality is, CIOs and CISOs have to find the balance between protecting corporate data and respecting the boundaries of an employee's privacy, he said.
4. Passwords: Is there a point anymore?
Panelists agreed: Passwords aren't going anywhere. But they also agreed with Zimmerman when he said "most people really stink at them." He told the CFO audience that the bare minimum their companies should consider is two-factor authentication -- which establishes identity -- and single sign-on so employees can use a single username and password for access to multiple applications. And he encouraged attendees to look into third-party single sign-on services.
Panelists encouraged businesses to educate employees on how to craft strong passwords and to cycle through them frequently, especially for those all-important IT administration accounts. For compliance reasons, IT admin passwords need to rotate every 90 days, but "that's a lifetime," Worrall said. "If an attacker grabs it on day one, he [has] got 90 days of unfettered access to that application or device."
5. How does a company know it has been hacked?
Not firsthand. The most common way people find out about a breach is from a third party, according to Worrall. "The FBI will call and say, 'We're doing a cyber-investigation, and we happened to find some of your data sitting on one of the rogue servers," he said. "You may have a problem."
Quoting a prediction from Gartner, he believes that by 2020, three-fourths of the information security budgets will be spent on "rapid detection and response approaches." That's up from less than 10% in 2012.
What tangible pieces of advice can you take back to my IT department tomorrow?
According to Worrall, CFOs and IT departments should be taking the following steps now to help keep the company's most valuable information assets from harm:
- Have a dedicated security person in your department.
- Figure out what data is really the most important to your business. One of Worrall's clients did just that and rather than rely on a sophisticated algorithm, they talked about data in simplistic terms: "If something happened to this data, and it got exposed or compromised, we'd be out of business or suffer irreparable harm," he said.
- Map out who has access to that data.