HP Inform Issue 6 '11 - EMEA.indd

from HP Enterprise Security

Issue 6

EMEA Edition

How does

your security

stack up?

How Mark Brown, CISO

at SABMiller, brewed up

a pure business focused

security strategy

4C

www.hp.com/enterprise/security

Benchmarking, long used to measure IT effectiveness,

has recently started making inroads into information

security thinking. But is it an effective tool for CISOs?

The rise

and rise

of cyber

attacks

in IT teams have long appreciated

the value of benchmarking.

The threat Collaboration

of cyber

attack on enterprises

and organisations

is very real. Inform

looks at the issues

and some recent

high-profile incidents.

“Benchmarking has been in use in

other IT disciplines for decades.

Whether it was data center

performance or network utilization,

companies have always felt

compelled to compare themselves to

others. It’s part of the competitive,

win at all costs mentality that

pervades business.” says Mike

Rothman from information security

analyst firm Securosis.

Do some enterprises do security

better than you? Are they getting

better ROI on their security

investments and enjoy simply better

security efficiency? How do you

compare? These questions are what

security benchmarking is all about.

A distilled

response

Consumerisation Cloud

Cyber Collaboration

4C

Joining the dots

between cloud,

consumerisation,

cyber and

collaboration.

Consumerisation

Cloud

The rise of

cyber attacks

How cyber attacks took

down the world’s biggest

corporations and why

they won’t go away.

be perpetrated by state actors. Indeed

a recent report sponsored by McAfee

revealed a quite startling degree of

cyber attacks against major institutions

and businesses and defence

contractors in the last five years.

According to security experts at

McAfee, a five year operation it

dubbed “Shady RAT” claimed 72 major

organisations among its victims in a

large number of countries including

the United States, Taiwan, South

Korea, Vietnam, Canada and the UK.

According to press reports 49 of the

victims were US based companies

and government agencies.

And it’s a subject appearing on the

radar of more and more security

leaders. As budgets get further

squeezed across the enterprise and

security professionals are expected

to justify any security spend, there

is a natural tendency to look outside

the company’s four walls and see how

competitors are performing. Most

importantly, they may be achieving

greater efficiencies and security

effectiveness by using similar

resources more effectively.

His final comment was a wake up call

for anyone who perhaps does not yet

feel that cyber is a major threat to

businesses and western economies:

“What has been witnessed over the

‘past five to six years has been nothing

short of a historically unprecedented

transfer of wealth'.

Of course there are plenty of cyber

attacks that are financially motivated and

these seem to be getting bigger and more

ambitious in scale, intent on industrial

levels of data theft and attacking some

of the world’s biggest brands.

Probably the most notorious

recent attack was that on the

The problem for information security

is that it is only just emerging as

a business function akin to IT.

There has been little in the way of

concrete data for security leaders

to measure themselves against.

Some obvious questions are: How do

your number of incidents compare

to rivals? How does your headcount

compare and are you using your

budget effectively? Yet information

Realities of Cyber

stolen. It was hit again in August when

its Japanese division Citi Cards Japan

(CCJ) said that personal information of

92,408 customers had been breached.

These are big numbers and big names

which prove that major cyber attacks

are here to stay but if that was not

enough to be concerned about, the

picture is complicated further by

the rise of “hacktivism”. Politically

motivated hacker groups such as

Anonymous and LulzSec have emerged

in the last 18 months.

The use denial of service and web

site defacement as a means to

attack those businesses they deem

Your rivals may have innovated

by using cloud services or by

sub-contracted parts of their

security function to outsourced

Security

benchmarking

Why your competitor’s

security strategy

could become your

best investment.

Did I just send that fi l e to

the wrong person?

Check Point DLP prevents

data breaches before they occur

Have you ever accidentally sent an email to the wrong person

or attached a document that wasn’t meant to be shared?

Check Point makes DLP work by combining technology

and processes to move businesses from passive detection to

prevention, before data breaches occur.

PREVENT

data loss

EDUCATE

users

ENFORCE

data policies

HP Enterprise Security

www.bit.ly/hpcheckpoint

©2010 Check Point Software Technologies Ltd. All rights reserved. Check Point, the Check Point logo, and Check Point Endpoint

Security Full Disk Encryption are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates.


In this edition

4 News

Security news from leading

vendors and events around

the world.

8 The Four Cs

A look at the relationship

between consumerisation,

cloud, cyber and collaboration.

13 Roundtable

Tom Reilly, Former CEO –

Arcsight and Andrzej Kawalec,

former CTO – Vistorm discuss

enterprise security.

16 Interview:

Mark Brown

The CISO of SAB Miller talks

candidly about affecting

change within the brewing

giant’s security function.

18 The rise of

cyber attacks

The changing nature of cyber

attacks against big business

and the growth of “hacktivism”.

20 Social Networking

How CISOs need to use an

enlightened approach to deal

with social networks.

20 CISO Club

Exclusive findings from the

latest gathering of HP’s CISO

Club in the UK.

22 Q&A: Steve Durbin

Global VP of Information Security

Forum (ISF), is in the hot seat.

24 Security insights

A guide to some leading

security research findings

from across the world.

25 How does your

security stack up?

Security benchmarking is an

emerging science that can

improve your security stance.

Foreword

Welcome to another edition of Inform,

which I’m very pleased to say is now

being distributed across the Americas

as well as the EMEA region. In terms of

business security, it’s proved quite an

eventful year so far with high profile

cyber attacks on some of the world’s

biggest brands and the continued rise

of so-called “hacktivism”.

Some commentators accuse us in

the industry of exaggerating the

cyber threats to global businesses

and organisations but, as our feature

“The rise of cyber attacks” (page 16)

demonstrates, the threat level is very

real. Attackers are not only getting

bolder in selecting their targets but

becoming more aggressive in carrying

out their attacks.

Along with its partners and advanced

security technologies it has developed

and acquired, HP also has the global

presence to do a great deal to reduce

the risk of its customers falling victim

to major attacks. Indeed, two of our

leading information security experts

Tom Reilly, former CEO Arcsight and

Andrzej Kawalec, former CTO Vistorm,

feature in this issue (Roundtable

page 10) discussing what they see as

the best technologies to fight back

against the criminals and hackers.

Of course, as a reader of Inform you

know better than most that the role of

the CISO is constantly being challenged

to deliver effective business security

– in ROI terms as well as incident

free. An emerging discipline is that of

security benchmarking which more

security leaders are starting to deploy

to measure how they stack up against

peer groups. It’s a fascinating area and

one that is sure to grow as budgetary

pressures increase on CISOs. Read our

introduction to the science of security

benchmarking on page 25.

We look at another new security

philosophy that we are pioneering here

at HP by analysing the relationship

between what we have dubbed “4C”.

This is cloud, consumerisation, cyber

and collaboration – the megatrends

in IT and IT security which are likely to

drive every decision that CISOs and

security leaders will make from now

on. But as our feature makes clear, it is

the symbiotic relationship between the

four that is the key to creating a secure

business as these trends take hold.

Read more on page 8.

Theory is of course, all very well but

nothing can substitute real world

practice and experience and no issue

of Inform is complete without our main

interview. This issue we feature Mark

Brown, global CISO for brewing giant

SABMIller – an $18bn business that

has operations across Africa, Asia,

Australasia, Europe, North America and

South America. Brown explains how he

transformed the company's security

practice into a truly business focused

operation as the company prepares for

future growth.

I’ve not even had space to mention all

our regular features which just goes to

show what a packed issue this is. I hope

you enjoy it.

Dan Turner

VP Enterprise Security

Issue 6 2011 | EMEA Edition

Published by HP Enterprise Security

Web: www.hp.com/enterprise/security

For enquiries about Inform, please contact

robert.wood@hp.com

Produced by: www.crisp-design.co.uk

Edited by: PF&A

Cover photography: Ivan Jones

If you would like to subscribe to Inform Magazine please contact us at infosecurity@hp.com

The third party views expressed in this magazine are

those of the contributors, for which HP Enterprise

Security accepts no responsibility. Readers should

take appropriate professional advice before acting

on any issue raised. Reproduction in whole or in

part without permission is strictly prohibited.

© 2011, Hewlett-Packard Development Company, L.P.

All Rights Reserved.

When you have finished

with this magazine

please recycle it.


News

Check Point

Check Point enhances 3D security with

latest software blades release

Check Point has announced the availability of Check Point

R75.20, the latest software release for its leading Software

Blade Architecture. The new release includes a new URL

filtering software blade that integrates with Application

Control for unified enforcement of all Web controls.

The R75.20 enables businesses to inspect SSL-encrypted

traffic across all software blades, providing in-depth

security analysis and data loss prevention services for

applications such as Gmail, eBay and Facebook.

It also further extends the Check Point DLP solution that

now enables customers to protect against internal data

leaks. It integrates with Microsoft Exchange, allowing

businesses to inspect data sent within the organization to

prevent data breaches.

www.checkpoint.com

ACEInsight.com

A new tool that instantly checks websites

According to research visiting the top 1,000 global web

sites, you are usually no more than two clicks away from

malware. Meanwhile more than 70% of today's online

threats are found on legitimate websites.

To help counter this, Websense is helping with

ACEInsight.com, a free service that provides instant

website safety data. The tool is designed to help users

check out new, unfamiliar, or suspicious sites.

The sites gives in-depth analysis in 10 categories: site

details, website categorisation, security categorisation,

site popularity, reputation, geo-location, antivirus,

JavaScript de-obfuscation, site redirects/link analysis,

and Twitter details.

www.aceinsight.com

www.websense.com

Check Point

Two Check Point announcements

raise the bar in data centre

performance and security

Check Point has announced the launch of its new 21400

Appliance that it says combines high-speed networking

technologies with lightning fast firewall throughput

of up to 100 Gbps and IPS throughput of up to 21 Gbps

(default profile).

Check Point says that the 21400 is designed to optimize

a full range of software blade protections, providing

large enterprises and data centres with industry-leading

security and performance.

The company also introduced SecurityPower, a new

tool designed to measure security performance which

allows, ‘customers to estimate their security needs and

compare it to the Security Power Units (SPU) rating of

each security solution’.

The company says that for IT administrators, measuring

raw throughput (Gbps) of a security device rarely

indicates its behaviour in a real-world environment

using different security technologies to protect the

network. Instead SecurityPower is said to estimate the

performance needed in various customer scenarios,

enabling customers to choose a gateway that meets

their exact needs with enough power and room for

future growth.

“SecurityPower gives companies a clearer picture of

how to measure performance needs in hardware, with

the security needs from the software. It’s a smart and

insightful concept that will help businesses better plan

for future capacity and spend on security.” said Chris

Christiansen, Vice President, Security Products and

Services at IDC Research.

www.checkpoint.com

4 2011 | Inform – Issue 6

Learn. Earn. Enjoy at www.mcafee.com/dealregistration

Vendor News

Websense

Websense TRITON gets

press review plaudits

Two of the UK’s leading technology publications recently awarded their

highest scores to Websense TRITON Security Gateway Anywhere.

SC Magazine awarded 5/5 stars for features, ease of use, performance,

documentation, support and value for money. They concluded that

the solution delivers a remarkable range of web, mail and data security

functions, intuitive centralised management, and tough data leakage

controls. The verdict read simply, ‘Websense delivers a superb range of

sophisticated web, mail and data security features that are easily managed

and look unbeatable value.’

Scoring 6/6 stars, IT Pro’s verdict read, ‘Mid-sized business and enterprises

looking for a single appliance to take care of all their network security needs

will find Websense’s TSGA ideal as it combines a remarkable range of web,

mail and data security features with excellent performance. Websense’s

TruHybrid is compelling with both the on-premises and SaaS cloud services

seamlessly integrated into the well designed central management console.’

www.websense.com

McAfee

McAfee Android Security Software for Android

pre-loaded on new Sony Xperia handsets

McAfee has announced that its technology for mobile platforms will be

offered as standard on Sony Ericsson’s Xperia mini pro and forthcoming

Xperia pro smart phones.

The software enables users to locate a missing handset with alarm

and location tracking, prevent misuse with remote lock and wipe and

preserve important memories and personal data with remote back-up

and restore, even from a lost or misplaced phone. McAfee Mobile Security

also protects against the risk of malware that originates via email, instant

messaging and Internet downloads.

“Smart phones represent one of the most significant technological

developments of our time. Today’s devices boast far more functionality

than many early PCs, but with malware targeting mobile devices growing

quarter-on-quarter, there is also the risk of these devices being hacked

or infected. The availability of this technology is an important milestone

in protecting both the phone itself and the data on it.” said Todd Gebhart,

Co-President, McAfee.

www.mcafee.com

McAfee

McAfee enhances deal

registration program to

boost channel partner

growth

McAfee has announced

enhancements to its Commercial and

Enterprise deal registration program.

This program rewards partners for

securing incremental new business.

The enhancement is based on a

successful pilot where participating

partners experienced increased

margins and faster approvals.

“This is the largest investment in

partner profitability in the company’s

history, confirming our commitment

to channel partner profitability,” said

Alex Thurber, senior vice president of

worldwide channels at McAfee.

“We continue to aggressively

evolve our partner programs

and incentives because

the opportunity to secure

the connected world with

our partners and for our

customers has never been

greater. Today we are

changing the game and

setting a new standard in

margin protection within the

security industry.”

http://www.mcafee.com/

dealregistration

ACCELERATE

PROFITABILITY

Our Enhanced Deal Registration Program delivers a margin enhancement of up to 25%

Inform – Issue 6 | 2011 5


Industry News

Aftermath of UK summer riots sparks

controversy over BlackBerry and social

media role

The role of the BlackBerry Messenger (BBM) service in the

looting and riots that convulsed Britain during the summer

was questioned by Police and government officials in the

immediate aftermath. It was alleged that the service was

used to direct looters and outwit the police.

In a blog post, BlackBerry said that it had ‘engaged with the

authorities to assist in any way we can' and was working to

comply with the UK Regulation of Investigatory Powers Act

and was co-operating fully with the Home Office and UK

police forces.

This was later defaced by someone calling themselves

‘TeaMp0isoN' who said that RIM ‘will not assist the UK police

because if you do, innocent members of the public who

were at the wrong place at the wrong time and owned a

BlackBerry will get charged for no reason at all'.

At the height of the trouble there were calls for BlackBerry

and other networks to be switched off, but in the event this

did not happen.

Twitter was also allegedly used by rioters to co-ordinate

attacks but this has yet to be proven. The use and role

of smart phones and social networks in social unrest will

undoubtedly be analysed and could yet be subject to

restrictions leading to a debate about Internet and data

freedom in the UK and beyond.

Mobile solutions provider data shows

rapid consumerisation driven by iPads

Californian mobile solutions provider Good Technology

has issued a report that it says demonstrates the

changing landscape of IT and mobile enterprise

technology among its customers. According to the

company the trend of personal smart phones and tablets

infiltrating the workplace is being led by both Apple's

iOS and Google's Android smart phone platforms.

However, for the first time ever, the company saw more iOS

tablet (iPad and iPad 2) activations than the total amount of

Android smart phones activated in the second quarter of 2011.

“While Android may be gaining smart phone market

share with consumers, our business users are clearly

gravitating to the iPad and doing so in large numbers.

This is especially true in the Financial Services sector,

which drove nearly half of all our iPad activations

over the quarter." said a company spokesperson.

http://www.good.com/resources/Good_Data_Q2_2011.pdf

US confectionery giant is hacked and

recipe altered

In an unusual attack, American confectionery giant

Hershey had one of its secret recipes altered by

hackers amid fears that passwords, email addresses

of consumers may also have been lost as they were

on the same server.

However the company was quick to react and it said

in a statement that there was no indication that the

data had been accessed. It said: “Consumers rely on

us for this information, and we take the quality of

our baking and cooking recipes very seriously. We

have corrected the issue and taken steps to enhance

the security of this information. We have thoroughly

investigated the situation and reviewed the recipes on

this site to ensure their quality.”

Hacktivist groups target US police

forces as part of ongoing campaign

The summer saw self-styled “hacktivist” group

Anonymous attack US police forces as part of a

campaign to undermine the arrests of some of its

alleged members and an alleged member of the

LulzSec hacker group.

Anonymous claimed it had released more than 10GB

of private police emails, training files and personal

information in an operation it named ‘Shooting

Sheriffs Saturday'.

It said that the information contained over 300 email

accounts from 56 law enforcement domains, 7,000

user names, passwords, home addresses, phone

numbers and social security numbers, online police

training academy files and a compilation of ‘Report a

Crime' names.

In a statement that reflected the group's growing

militancy, it said the release was intended to

embarrass, discredit and incriminate police officers

across the US and that it had no sympathy for any of

the officers or informants who may be endangered by

the release of their personal information.

The emails originated from police forces in Arkansas,

Kansas, Louisiana, Missouri and Mississippi, with many

of the websites operated by Arkansas-based media

services hosting company Brooks-Jeffrey Marketing.

6 2011 | Inform – Issue 6

It’s time for technology to bend

to our will. To be user not devicecentric.

To free potential and

open up new business possibility.

It’s time for User Virtualization.

By unlocking the user-layer from

any device, operating system

or application, you manage a

single user instance. The result?

Enterprises are re-writing the

economics of their IT, massively

increasing productivity and

accelerating initiatives like

Windows 7 migration, BYO and

cloud computing.

Interested? You’re only human.

www.appsense.com

I am at the

center of

everything

Inform – Issue 6 | 2011 7


4C

Consumer

Cyber Co

How 4C thinking is the

future for IT professionals

and provides opportunities

for global CISOs.

It’s unlikely that any CISO would

deny that any of the 4C’s listed in

the title are credible security trends

individually but they may not have

made the connection between them

and how the relationship between

each can actually lead to advanced

business security thinking.

Let’s start with a survey. When

Information Week published its 2011

End User Device Survey, one of its

top line findings was that: “dissolving

fears around consumerisation are

dramatically changing IT and its

relationship to the enterprise”.

It also stated that some clearly

defined trends are reshaping IT in

wider terms, in other words, the rush

to mobile and advanced consumer

devices. The effect this is having on

the enterprise is profound.

At the same time the survey revealed

that some things have remained

the same: 51% of CIOs still equip

the majority of its users with “fat”

desktops. It found that many IT

managers were “trapped” in a threeyear

replacement cycle treadmill. So

things are changing but also staying

the same – what’s going on?

Consumerisation

Part of the answer is that

consumerisation and cloud are evolving

very quickly and that too many CIOs

and CISOs are floundering by sticking

to an enterprise IT culture that

stubbornly refuses to acknowledge

these trends – to the enterprise’s

ultimate commercial disadvantage.

At the same time the picture is

further complicated by IT leaders who

want to change but are frustrated

at their inability to embrace cloud

and consumerisation and shift

to full 4C thinking. These leaders

know that consumerisation is

potentially low cost which allows

for IT experimentation (according to

Information Week’s survey 66% of

respondents spend more than 10% of

their IT operating budgets on end user

devices, 23% spend more than 21%).

Meanwhile figures just released

by Gartner show that worldwide

sales of mobile devices to end users

totalled 428.7 million units in the

second quarter of 2011, a 16.5%

increase from the second quarter of

2010. These devices will be entering

the enterprise regardless – there

is no doubt about that. Adopting

and enhancing consumerisation

is therefore a key part of moving

towards 4C.

Cloud

Cloud is the technology that many

security professionals love to hate,

as it must be admitted, so do a lot

of regular IT professionals. Yet they

cannot ignore the business benefits

are all there: cost reduction, flexibility,

new ways of working, enhanced

storage and mobile access to data.

Yet the reluctance of many IT leaders

is based on two fears: loss of control

and lack of data visibility. Both of

which lead to significant risk exposure.

But to embrace the 4C they need

to overcome this fear because, as

with consumerisation, they can. The

secure cloud is possible now and

possible in configurations and options

that leave legacy architectures

miles behind.

In an article for IDC, analyst Jean

Bozman says that: “next-gen

cloud computing decisions will be

designed to scale up, and scale

down, on-demand—and to allocate

resources across a ‘grid’ or ‘array’

of pre-constructed building blocks

developed by the service provider.

It will also demand a careful

8 2011 | Inform – Issue 6

The 4C way of thinking

isation Cloud

llaboration

evaluation of the customer’s

inventory of enterprise applications,

to determine which ones could

be moved to cloud computing”.

Needless to say this will need to be

done securely but the key is flexibility

and instant scalability – something

that is simply not possible with legacy

systems. The world's leading cloud

providers do, however, have the

expertise to make this happen.

Cyber

The security concern is why cyber

is central to 4C strategies. Nothing

can happen in IT today without

consideration of cyber threats, which

can be simply defined as any attack

launched against a business via its

total IT architecture. This includes

financial attacks, IP theft, denial of

service and politically motivated

attacks. Cyber is a constant threat to

business continuity.

The financial implications on their

own are disturbing. The Organisation

for Security and Cooperation in

Europe (OSCE) has estimated cyber

crime theft amounts $100 billion

annually. Cloud and consumerisation

simply cannot function unless

security is integrated within the

enterprise stack.

Collaboration

Which brings us to collaboration

which is potentially the most

revolutionary and innovative part of

4C pulling as it does, IT permanently

out of its remaining silo. Treating

IT and information security as a

business enabler was just a start. It

must now be a fully collaborative part

of the business, not just in IT terms

but right across the enterprise.

Collaboration will also cross outside

the enterprise to customers, partners

and outsourced suppliers through

the use of advanced tools such as

security analytics and business

intelligence systems. Through these

IT leaders can develop reporting that

improves functionality, processes and

efficiencies in departments previously

considered alien to IT engagement

such as Marketing (including social

media), Finance and HR.

IT cannot be an end itself. It must

serve the business to encourage

employees to be innovative in their

jobs. If the CIO and CISO cannot

embrace innovation, how can others?

Too many IT leaders have got bogged

down in rules, fixed thinking and

keeping to their own self imposed

restrictions. This is even truer of

the IT security departments. Many

IT people have forgotten that they

are in charge of the one department

that has the means to innovate

and use technology to benefit

the business like no other. They

can be enablers and deliverers.

The connectivity of 4C is a unique

opportunity to do just that.

The final word goes to Information

Week: “Cloud and consumerisation

have (hopefully) taught us that

business technology decisions are

negotiations rather than edicts. The

end user device paradigm shift offers

significant opportunities for business

technology innovation, but you’ll miss

out if you’re purely focusing on span

of control and defensive IT.” Time to

think 4C. •

References

Information Week End User

Survey: http://bit.ly/mFb8to

Gartner report “Market Share:

Mobile Communication Devices

by Region and Country, 2Q11:

www.gartner.com/resId=1764117

Cloud Computing for the

Enterprise Steps Forward:

Lessons Learned and Key

Takeaways – IDC, Jean Bozman:

http://bit.ly/ori6Rz

Inform – Issue 6 | 2011 9


Tom Reilly

Face to

Tom Reilly, Former CEO Arcsight and Andrzej Kawalec, former CTO Vistorm talk

openly about HP’s vision and strategy in Enterprise Security. These two leading

security gurus discuss the changing face of information security and how emerging

technologies will assist the CISO.

Inform kicked off the discussion

by asking what have been the

most significant developments in

information technology in the last

few years and conversely in the types

of threats to the enterprise. Andrzej

has little hesitation in listing social

media and mobile technology at the

top of his list.

“It’s causing us as individuals to

fundamentally change the way

we live – how we work, rest and

play. At the same time it’s causing

organisations to find ways to exploit

and govern this explosion of access

and content. The commoditisation

of hacking tools has also changed

the economics and demographics

of the industry. Where the industry

was once defined by a small number

of expert threat actors, we now find

ourselves in a situation where easy

to use hacking tools and code can be

bought off the shelf.” he says.

Tom Reilly agrees wholeheartedly with

this assessment: “The sheer scale of

attacks in the last few years has been

astonishing. We have witnessed the

growth of cyber attacks which have

been politically and even militarily led

and the arrival of Advanced Persistent

Threats (APT).”

“Yet security tends to follow

IT innovation – we’ve had

mainframe to client, then the

internet, onto the cloud and

now mobile. As we get more

threat vectors exploiting

these changes we need

more innovation to beat the

criminals. But like any type of

crime it will not go away – it

just gets smarter so we have to

be smarter too.” says Reilly.

So what is HP bringing to the table in

terms of technology, to help CISOs

get an edge on the cyber criminals

and hackers knocking at the door?

What can they expect?

“HP is unique in its ability to meet

these converging mega trends –

increasing cyber threat, rise of mobile

and social media and the changing

cloud delivery models. No other

organization has the capability or

scale to understand the information

security challenges facing

enterprises.” says Kawalec.

“Right from the consumer interaction

via phone or HP TouchPad to Cyber

Situational Awareness through our

leadership in cloud and data centres,

HP can offer real insight into how

to protect information assets and

enable business growth.” he adds

Tom Reilly says that HP is developing

defence in depth technologies

with Security Intelligence and Risk

management to enable customers

to get the earliest indication of

attack. “We are investing heavily in

this. Technology will always give an

edge yet it’s still also about people

and processes. Unfortunately we

have a shortage of skilled security

professionals. In our industry we can’t

hire fast enough!” he says.

Reilly adds that HP Universal Log

Management enables integration

between its Security Projects so

the company can understand the

value of assets as they come under

attack. “HP is one of the few that

can do this because of our resources.

For example, Our Digital Vaccine

labs will be leveraged across recent

acquisitions ArcSight, Tipping Point

and Fortify. We are an IT Operations

Solution provider as well as an IT

security solutions provider.” he says.

Kawalec adds that HP’s acquisitions

means it can integrate the

delivery platforms and technology

to give greater access to realtime

information and correlated

10 2011 | Inform – Issue 6

Face to face with Tom Reilly and Andrzej Kawalec

face

Andrzej Kawalec

monitoring. “We can start to build

what we call Enterprise Security

Intelligence. We are working towards a

vision which allows our clients to take

a snap-shot view of their security

threats and performance, whilst being

able to measure security risk against

their business objectives.” he says.

Both men say that they work very

closely with the CISOs at some of the

world’s most important companies and

this helps them understand firsthand

what they need in terms of solutions,

how to deliver them and what

professional challenges they have.

“Our CISO Customer Advisory Board

discusses the latest types of attack

and innovations they use to stop

them. The challenges for CISOs are

insufficient funding and boardroom

awareness for investment. They also

need providers to give them the tools

and the technology to relieve the

risks. Most of all they want ways to

be proactive rather than reactive.”

says Reilly.

Kawalec agrees. “My development

teams have two very clear objectives

in mind when we build new services

for the CISO. Firstly, how can we

enable the CISO to give the board

the confidence that the correct

security investments are being

made? Secondly, how do we increase

the operational control that the

CISO has over the data, services and

infrastructure under their influence?”

he asks.

“It’s also about being able to invest in

answering the questions we haven’t

yet asked – the so-called unknown

unknowns. This is the value we get

from our close working relationship

with HP Labs. For example: What

are the economics of Security? How

much will human factors influence

the development of security

technology? We actively work with

our CISOs to develop practical

methodologies and solutions that

address business needs.”

says Kawalec.

Security Information and Event

Management (SIEM) is now very

much part of HP’s line of advanced

security solutions thanks to the

acquisition of ArcSight. How

important are such systems

likely to become in the future?

Andrzej Kawalec: “The pure explosion

in terms of devices and volume of

data demands that SIEM systems are

able to act in a much more intelligent

and semi-autonomous way. Being able

to provide first line analysis and triage

as part of an integrated response

will be increasingly important. The

SIEM space will also continue to be

stretched by the rapid changes to

working practices, technology and

evolving business models – thinking

about how SIEM can work in a cloud

environment, or across services and

devices the enterprise doesn’t own,

will define the next generation of

intelligent security solutions.”

So finally what do CISOs tell our two

experts what’s on their minds and

what kind of advice do they give

them? Kawalec says that they

ask themselves: "Are we next? –

and if we are, what is the best way

to respond?"

“The predominant shift I

have seen is an acceptance

that no-one is immune. CIOs

and CISOs are taking a more

rigorous and questioning

approach to their security

projects while being aware

that they have probably

under-invested in security

over the past few years.”

he adds.

“Become more proactive, minimise

your risk. Assume you have been

breached and put plans in place to

find out where. Above all take a RISK

approach to your job. Assess your

data’s value and apply accordingly.” is

Tom Reilly’s no-nonsense advice.

Kawalec ends with this: “Have a clear

and shared view about what your

optimal model for security is. Use

this view to make some bold choices

about process and architecture.

Incremental security controls will

not allow CISOs to stay ahead of the

threat or changing business models.

You need to align security to a

business level strategy”. •

Inform – Issue 6 | 2011 11


Mark Brown interview

Mark

Brown

The CISO at global brewing giant SABMiller

is known for being a no-nonsense,

forward thinking security professional.

Paul Fisher discovers what drives his

passion for business focused security.

Mark Brown’s security career began in 1994. He spent 11

years in the Army ending up as an Intelligence Analyst.

Then in 2005 his career in the private sector began which

has since included stints with defence contractor Harris,

risk management specialists Pilgrims Group and in 2007,

SunGard. Then in December 2009, two career firsts

marked his appointment with SABMiller: his first CISO

position and the first time in a company that has nothing

to do with security.

Inform – Issue 6 | 2011 13


So some cultural changes then and

an immediate challenge to deal with.

Brown was charged with changing

the security set up. So what was

wrong with it?

“What was wrong?” he says to me.

“There wasn’t one. It’s as simple as

that!” It seems that SABMiller’s CIO

had decided that it was time for a

shake up, as Brown explains.

“SABMiller was moving from a

federated business model to a

centralised global model, and there

was a need to change the culture

and capability of employees within

the central team. There was a total

reappraisal of what the security team

should be.” he says.

Brown inherited a blank white board,

a set of rules ready to be ripped up

and an expectation that new ones

would be written. What the CIO

wanted was somebody who would

move away from being a techie who

focussed on policy, to someone who

could, in Brown's words, ask from a

business perspective, ‘What should

we be doing, and how should we

approach it?’.

“That’s pretty much a unique

opportunity in this size of company,

to be able to completely reshape

what was happening to what should

be happening.” he says.

So at the beginning, Brown found

himself with his blank white board,

ripped-up rule book and a single

member of staff in the shape of an

outside contractor. So what was his

main priority once he got used to this

blank canvas and the scale of the

challenge (and opportunity) ahead?

“To stop myself being fired I think is

the key one!” he says. “If you see that

your predecessor who’s been here

for six and a half years gets removed

because he’s not doing what the

business wants, you have to recognize

that is the start point.” he says.

“So I spent the first three months

getting to know the business. And

rather than me decide what I thought

the business needed, I went round and

asked the business exactly what they

needed. I developed a “state of the

nation” type report on the risks and

issues: Where have things truly been

going wrong? What’s the low-hanging

fruit? What can we change immediately

to get the quick wins and get the

business on side? What systemic

problems had to be fixed?” he says.

The results of this exercise according

to Brown were illuminating and

affected everything he did afterwards.

In particular, he says, it was a process

that confirmed that anything he did

from now on had to have a business

benefit, as he explains.

“Brand reputation is key in this

business. It doesn’t take much for the

flagship brands to be right at the top

of the game one day, and next year

to have plummeted through the sales

curve. We’re at 16 in the FTSE 100.

That brings with it responsibility.”

“So it’s moving to a risk focus

and ensuring we have an

information risk management

strategy in an operating

region which it requires us to

do. One of the pieces of work

we’ve been doing recently

is some low-level business

process modelling. When we

started talking about how the

impact of a virus on a SCADA

system runs into millions of

dollars of lost production per

hour the business quickly got

the message.” he says.

And being a global business affects

the risk position in the various

markets it operates in. One of which

is a joint venture with the Chinese

government.

“That brings with it its own challenges

of information-sharing: what do we

share; what don’t we share. We have

lots of joint ventures globally that

we have to consider. But it really

does come down to, or come back

to, understanding your business

operating model and educating your

users.” he says.

Since 2009, Brown has been able

to develop his thinking in business

led security and is increasingly

involved in corporate affairs and

brand integrity initiatives. One of

his key partnerships is now with the

Corporate Affairs Department looking

at brand reputation and what is being

said about the business externally.

This is quite a departure from the

traditional role of the CISO, let alone

the information security manager. But

Brown sees it as a natural extension

of the role.

“How do we arm the business with

the information that enables them

to respond in an educated and timely

manner? It can’t be that just in time

or just after time response but if we

can see that people are talking about

us in a negative manner we can be

proactive.” he says.

This approach is bearing fruit already

and he’s bullish about this part of

his role–he clearly enjoys it–seeing it

as a significant part of moving away

from traditional IT security business

constraints.

“Are you as a CISO happy being an IT

security officer, or do you want to be

an information security officer? And

there’s a marked difference between

the two. If you’re happy dealing with

tech, then be stuck in IT. If you want

to evolve to the business leadership

level you have to move beyond the

tech. I’ve spent more time speaking

with the rest of the business than I

do with IT. IT delivers things for me,

but I’m guiding them as to what to

deliver.” he says.

Brown says that SABMiller has a very

South African culture, one where

you have to withstand intellectual

challenge and rigour and where

anyone must be prepared to be

challenged on their thinking by senior

management.

“Most of the time it’s a case they’re

looking for you to validate and prove

the rigour behind your argument.

And certainly the times that I’ve

presented to the board it wasn’t

14 2011 | Inform – Issue 6

Mark Brown interview

that they didn’t see the benefit of

it, but that they wanted to ensure

they believed in it when they were

cascading the message to the

regions.” he says.

Any CISO working across different

global markets will know it’s a

challenge keeping pace with the

varying compliance and governance.

How does Brown cope?

“This is where knowing the resources

you have at hand comes to the fore. In

my experience if country and regional

based resources are only ever viewed

as such, and not given a larger virtual

role, then it is impossible for a centrally

managed team to ever maintain an

up to date understanding of local

regulatory and compliance burden.”

“Empowerment of local resources

and ensuring that they truly

understand their role, responsibilities

and accountabilities within the

larger regional and global function

is paramount to ensure an ability to

keep up to date with ever-changing

compliance laws.” he says.

Brown has been on the security

conference circuit recently

evangelising the merits and positives

of consumerisation. He is well ahead

of the curve and doesn’t mind who

knows it. He‘s passionate about it as

he explains.

“It’s the changing face of IT. Again for

me it comes back to understanding

the business operating model. Why

wouldn’t we look to use modern

technology? Why do we want to be

stuck in that very small corporate

list of approved product when, by

evaluating the risks on it, we can

embrace technology. Why would we

not look to do so?” he says.

“For me the biggest challenge

has not been how we bring in new

technology, it’s how do we enable the

traditional IT support mechanism to

handle it? It requires new thinking. It

requires a change from ‘the answer’s

no, now what’s the question?’, to

acknowledging that there is nothing

wrong with consumer devices if you’re

not in a regulated environment.”

“We now have a situation

where we have many of

our board members who

travel without their laptops.

They’re quite comfortable just

travelling with iPads. They’ve

got the ability to receive their

e-mails, to edit documents

and to re-send them. That, in

many respects, is all they’re

looking for.” he says.

But what of his peers who may share

his enthusiasm but still face a degree

of opposition and hostility? What

advice would he give them?

“A lot of the negativity in my

experience towards consumerisation is

actually that people don’t understand

the new technologies, and it’s that

non-understanding nature which

almost makes it easier to say “no we’re

not going down that path”, rather than

taking the time to actually look at the

new technologies and understand how

could this work for us. I think there is a

problem that legislation and standards

are behind the times. We almost don’t

care what the device is, as long as it

can meet a base level of compliance.

That is because it's all about how

people can access the data from that

device.” he says.

Brown is one of the most positive

CISOs I have come across. He is more

than excited about the future, both

his as well as the future role and

development of the global CISO.

“I think there is a change in the CISOs

group. I don’t think I’m alone in this

“illuminati” group. I think they are an

enlightened 5% to 10% of CISOs who

recognize the need to move beyond

IT. In fact they nearly want nothing

to do with IT because they’re almost

hamstrung by being there.”

“So I do think I am different to the

vast majority and maybe it’s my

willingness to challenge the norm. I’m

not afraid to do that. I do understand

P&L accounts. I do understand

business strategy. I don’t think

enough of us do. I think the industry

could be well served at looking at

how we educate the new breed,

those going through the universities

now.” he says.

“Are we teaching them from a

technical perspective or are we

arming them with the business skills

that actually are the fundamentals

that they will require to be successful

in the future?” Which is a very

good question to pose from a man

who already has delivered a lot of

considered and effective answers at

SABMiller. •

Inform – Issue 6 | 2011 15


The rise

and rise

of cyber

attacks

The threat of cyber

attack on enterprises

and organisations

is very real. Inform

looks at the issues

and some recent

high-profile incidents.

According to a report in The Guardian,

the UK Ministry of Defence blocked and

investigated more than 1000 potentially

serious cyber attacks in 2010. In a June

2011 speech to the London Chamber of

Commerce the Defence Secretary Liam

Fox told business owners that between

2009 and 2010, security incidents more

than doubled.

He said that government was unlikely

to be successful in defeating such

attacks on its own. He made the very

good point that in cyberspace the

boundaries between government,

business and individual users is

increasingly blurred – part of the social

trends that has led to consumerisation

and shift in working practices.

"We now see weekly reports of cyber

attacks against businesses, institutions

and networks used by people going

about their daily lives. The cost to

the UK economy of cyber crime is

estimated to be in the region of £27bn

a year and rising. These are attacks

against the whole fabric of our society.

When it comes to cyber security we

must fight this battle together." he said.

Liam Fox’s comments follow

the 2010 announcement by

the UK government that

cyber terrorists were one of

the most serious threats to

UK security, second only to

physical terror attacks, and

that an additional £500 million

had been ear-marked for

increased cyber security.

This was announced as part of the

strategic defence review (SDR), which

noted that the West's long-standing

technological advantages over the rest

of the world are likely to disappear in

the coming years, adding that 'further

game-changing technologies, such

as artificial intelligence will become

mainstream in the next 20 years'.

Cyber attacks on the 2012 Olympics

have been identified as a significant

threat after Beijing suffered 12 million

attacks a day during the 2008 games.

Enterprises are also increasingly

aware of and worried by the

threat. A survey commissioned by

Symantec revealed that 77% of

European businesses believe cyber

is the number one security risk.

This far outweighed fears around

internal threats and conventional

crime or even natural disasters.

To the general public hackers are not

perceived as dangerous – the image

of the lone teenager breaking into

networks from his bedroom persists,

helped no doubt by the recent arrest in

Scotland of a 17 year old alleged to be

behind the LulzSec attacks.

But that would be to miss the point.

Cyber is about much more than

teenagers; cyber attacks are likely to

16 2011 | Inform – Issue 6

Realities of Cyber

be perpetrated by state actors. Indeed

a recent report sponsored by McAfee

revealed a quite startling degree of

cyber attacks against major institutions

and businesses and defence

contractors in the last five years.

According to security experts at

McAfee, a five year operation it

dubbed “Shady RAT” claimed 72 major

organisations among its victims in a

large number of countries including

the United States, Taiwan, South

Korea, Vietnam, Canada and the UK.

According to press reports 49 of the

victims were US based companies

and government agencies.

McAfee vice president of threat

research, Dmitri Alperovitch said in a blog

post: "The key to these intrusions is that

the adversary is motivated by a massive

hunger for secrets and intellectual

property; this is different from the

immediate financial gratification that

drives much of cyber crime”.

In this operation, he said, the hackers

were looking for "closely guarded

national secrets (including from

classified government networks),

source code, bug databases, email

archives, negotiation plans and

exploration details for new oil and gas

field auctions, document stores, legal

contracts, Scada configurations, and

design schematics.”

“I have often been asked by our

worldwide customers if they should

worry about such sophisticated

penetrations themselves or if that

is a concern only for government

agencies, defence contractors

and perhaps Google. My answer

in almost all cases has been

unequivocal: absolutely.” he said.

His final comment was a wake up call

for anyone who perhaps does not yet

feel that cyber is a major threat to

businesses and western economies:

“What has been witnessed over the

‘past five to six years has been nothing

short of a historically unprecedented

transfer of wealth'.

Of course there are plenty of cyber

attacks that are financially motivated and

these seem to be getting bigger and more

ambitious in scale, intent on industrial

levels of data theft and attacking some

of the world’s biggest brands.

Probably the most notorious

recent attack was that on the

Sony Playstation Network in

2011 which left the online

gaming network suspended

for weeks.

In this case the attack resulted in

the loss of user names, passwords,

addresses, birth dates and possible

financial details of the network’s 77

million users.

The attack demonstrated the expertise

and tenacity of the forces now

ranged against global corporations.

For a technology business as well

protected and organised as Sony to be

successfully breached was a shock.

Sony successfully recovered from the

attack but industry experts see it as a

watershed, enterprises will be looking

and learning from Sony’s experience.

Another big name hit in 2011 was

CitiGroup when a data breach in May

exposed 1% of all its North American

credit card customers’ account details.

According to reports some 360,000

customers had account numbers,

names and email addresses stolen.

It was hit again in August when its

Japanese division Citi Cards Japan

(CCJ) said that personal information of

92,408 customers had been breached.

These are big numbers and big names

which prove that major cyber attacks

are here to stay but if that was not

enough to be concerned about, the

picture is complicated further by

the rise of “hacktivism”. Politically

motivated hacker groups such as

Anonymous and LulzSec have emerged

in the last 18 months.

They use denial of service and web

site defacement as a means to

attack those businesses they deem

to be against their revolutionary and

often anarchistic beliefs. It is hard to

know how big or committed these

groups are to their purported ideals

(LulzSec has a more prankster-like

approach) but its certain that they can

cause damage and are increasingly

liable to attach themselves to world

events and act accordingly.

In late 2010, Anonymous attacked

MasterCard, Visa and PayPal in protest

at what it saw as those financial

groups attacks on WikiLeaks. A

number of arrests by British and US law

enforcement agencies in 2011 reduced

their activities at least temporarily.

However the Anonymous boast; “We

are legion” is not without some basis –

off the shelf hacking kits are available,

along with instructions, across the

Internet to any kid who wants to join

in. And join in they will, and some will

graduate to full-blown cyber attacks.

The next attack is

waiting to happen.

Inform – Issue 6 | 2011 17


Social

networking

for CISOs

According to Wikipedia there are currently around 200 social networking sites in

existence around the world. The largest of which are Facebook and Twitter but the

use of any of these sites by employees is a challenge for the CISO. However, an

enlightened approach is the key.

How should CISOs deal with the

inevitable growth of social media?

The first thing NOT to do is react

without thinking. In other words don’t

automatically assume that all social

media is a bad thing. Don’t assume that

their use during working hours is a bad

thing. Do not assume either that social

media is the domain only of those under

25, that they may grow out of them or

they will disappear.

For example, Facebook’s user base in

the UK is around 30 million – pretty

much half the population. In 2010, Mark

Zuckerberg, Facebook’s founder and

CEO, said it was “almost a guarantee”

that the site would hit one billion

users. There’s no reason to doubt him,

even allowing for some slowdown of

membership in recent months. And

even if Facebook was to disappear

tomorrow, you can be sure that

something else would take its place.

The new Google+ network is already

gaining millions of new members.

Therefore social media, as its name

suggests is embedded in our wider

society. Further, some CISOs will

be aware that within their own

organisations there are departments

actively looking for ways to exploit

social media for advanced marketing

and customer relationship purposes.

Often these initiatives will be undertaken

without recourse to the CISO office or

the information security team. That’s a

challenge – but let’s return to that later.

Let’s deal with the

fundamental challenges

of social media use in the

enterprise. Often the knee

jerk reaction is to go into lock

down mode and block all

usage on corporate networks.

This is the default option for

organisations who believe that

employees hog bandwidth

and waste time on Facebook

and other sites.

But because of the effects of

consumerisation (the CIO and CISO’s

other challenging techno social trend)

employees will spend just as much

time accessing social networks on their

own devices via 3G networks. So the

blocking route is ultimately fruitless.

And we have moved on from the

Facebook “panic” of 2007 – the year that

Facebook really caught on across the

world. There were dire warnings about

the cost to industry from employees

“wasting time” on Facebook – figures of

£130m being lost by UK industry each

day were bandied about in the media.

However, like the figures calculated for

the effects of strikes, extreme weather

and transport failures – they are hard to

prove and highly questionable.

There may well be some cost from

unregulated social network usage but

now it seems a more mature approach

to social media is emerging. The

problem with blaming lost productivity

on social networks – and by extension

18 2011 | Inform – Issue 6

Social Networking for CISOs

web browsing – is it assumes that

employees previously spent all their

working hours actually working and not

chatting, making tea, smoking outside,

reading newspapers or other “nonproductive”

activities.

According to research [1] from

Australian technology and

communications researchers Datacurve,

fears over productivity loss from social

media usage are exaggerated and not

borne out of reality.

The report, which looked at social

media and web usage in Australian

enterprises, states that: “Social media’s

polarising affect on managers and

their workplace policy will continue

to persist in light of increasing

efforts by enterprises to harness

social networks for marketing and

customer relationship purposes,

while simultaneously trapped by the

perception that social networking

during work-time is a monumental

threat to workplace productivity.”

Very true.

It continues: “The hype about

thousands of hours lost in productivity

due to a social media addiction or

pathology is not supported by the

evidence. Spread out across a 20-day

working month, Facebook will be

accessed (on average) every second

day, at approximately nine minutes

per session. In the case of MySpace

and Twitter, engagement is even

less of an issue in the context of

workplace productivity. Compared

with entrenched behaviours like smoke

breaks and coffee runs, social media

behaviour is a very distant third in terms

of employee ‘distractions.”

The report concluded that the negative

connotations associated with the use

of social media had been overblown but

that there was still a disconnect within

some organisations which had a public

facing endorsement of social media yet

still restricted usage by its own staff.

So there are two challenges

for the CISO: first, a change of

fixed mindsets to accept social

network use by employees

within the enterprise based

on a TRUST model. Second,

ensure that the CISOs

department is engaged at

fundamental points with

Marketing, Communications

and HR teams to ensure safe

and risk-assessed usage

of social media within the

business for both personal

and business usage.

This will entail a reworking of

Acceptable Use Policies to embrace

social media, taking full account of

the above findings. On an ongoing

basis it will mean full integration with

marketing teams and other C-level

teams so that social media campaigns

are conducted for business benefits

with minimise risk.

The paramount concerns must be that

business-critical data and information

is not exposed on social media and

that employees do not bring the

organisation into disrepute or fall foul

of the law or compliance regulations via

their social media usage.

Finally, remember the big lesson

of consumerisation: empowering

employees with their own

devices makes them happier.

Trusting them with social media

will have the same effect. •

[1] ENTERPRISE 2.0: Looking Inside

Out – Benchmarking web usage and

social media behaviour in the workplace

http://bit.ly/datacurve2010

Inform – Issue 6 | 2011 19


report

The latest gathering of the HP CISO Club saw delegates discuss the

impact of new EU Privacy laws, Advanced Persistent Threats and the

possibility of CISO intelligence sharing across industry sectors.

EU Privacy and

Communications Directive

The EU's Privacy and Communications

Directive came into force on 26 May

2011. In a nutshell it means that

web site holders and owners must

obtain user consent before using

cookies in code. However due to the

complexities of implementing this, UK

plc has been given a year to put its

house in order by the ICO.

At the meeting it was felt that CISOs

need to take these new laws very

seriously and not sit back and do

nothing because they have a year to

sort it out.

The move by the EU was seen as a

reaction to public concern at the rise

of targeted advertising that tracks

users across multiple sites.

The challenges are identifying and

modifying an existing web presence

so that it complies to the new rules

but doesn’t drive customers away

and impact on the business benefit of

web sites. Some felt that cookies did

bring user convenience. For example,

when they log on, they don’t have to

keep adding in the details they did

the last time round.

Some thought that the new directive

could be bypassed by the less

scrupulous. People’s browsers, their

operating system, plug ins and PC set

ups provide a unique footprint which

meant that businesses could identify

and track user behaviour without

ever putting a cookie on their devices.

There was also the difficulty in

dealing with customers asking for

privacy online but who also have

credit cards, loyalty cards where

they happily give information away

in return for vouchers and financial

rewards. It was felt that people are

looking for privacy yet they’re willing

to give it away if it suits. However, in

the realm of privacy the consumer is

king and the CISO must deal with the

reality of the situation.

On balance however, most felt that

the new directive was welcome and

will end bad practice and that major

UK brands have little to worry about if

they plan and implement a compliant

web strategy in good time.

But there is a danger that some less

scrupulous businesses will just set up

sites elsewhere making it difficult for

compliant UK companies to compete

for customers.

If all companies acted honourably,

there would be no need for any

consumer protection. If the directive is

to work as the EU intends it needs to

have teeth and be enforced properly

right across the EU. People rarely stop

doing bad things just because of a

regulatory issue. They do respond to

fines and prosecution however.

Action points:

Don’t leave it too late, start

planning now

Identify an inventory of all the

websites you have, not just those

you host and manage but those

managed by third parties on your

behalf. If they carry your brand

you need to ensure compliance

Work closely with your

marketing teams and audit

EVERY web technique and

database they use and then

set up a management tool to

ensure ongoing compliance

Think about how to adjust your

sites. For example, give users

a very clear option to turn off

cookies, explaining very clearly

how you use them and the

benefits to the customer. Cookies

on as default is not an option

20 2011 | Inform – Issue 6

CISO Club report

Sharing CISO intelligence

and defending against attacks

The CISO Club looked at whether

different sectors can share information;

can different challenges be relevant

to different sectors. If a particular

company is targeted, why not pool

resources, why not pool information?

The number one priority for any

organisation is defence. Prosecution

of the perpetrator downstream is

highly desirable but the first priority

is to be able to defend the business

against attack.

CISOs are constantly playing catch

up, because when they find an

effective way to disrupt an attack

mechanism the hostile organisation

will deploy another mechanism.

It was felt that some kind of rapid

reaction knowledge sharing tool on

attack methodologies (as they are

happening), if it could be made to

work, would be highly desirable.

At the meeting it was reported

that there is now a great deal of

seriousness within the government

to actually sponsor a collaboration

between the public sector and the

private sector, to do something

about this, because it’s now widely

recognised that no one company can

work in isolation.

It was felt that there are two types

of information that would be highly

valuable: the source IP and raw

malware. This is the area where

the vendors would have a highly

important role to play in an integrated

intelligence sharing plan.

Advanced Persistent Threats

The growth of sophisticated and

“politically” motivated attacks

against major brands are here to

stay. Enterprises cannot effectively

protect themselves from all attacks.

Even a moderately well resourced

attack that’s well targeted with

knowledge is going to compromise

the business at some point.

There are now a constant stream of

attacks and while hits against big

brands make the headlines, smaller

websites are being attacked on a

daily basis. No company is immune.

And it is affecting public perception

and trust in brands and by extension

those charged with protecting

consumer data. The loss of the

CDs from HMRC made people

angry not because in the end it

impacted on them but because

an organisation that they trusted

lost their personal information.

Security awareness must be

taken absolutely seriously in the

organisation if these attacks are

to be foiled or at least reduced.

Yet others argued that the challenge

is that individuals in enterprises make

their own informed risk decisions

when deciding, for example, whether

to click on a link in an email–and

most get away with it without having

to consult up the line, which is not

practical anyway. People are under

pressure to do their jobs. The problem

of course is that every now and then

one of those links will be malicious.

So new technologies and new

methodologies are urgently needed

to take the risk decision away from

the employee and update security

awareness policies and actions to

take account of business realities. •

Inform – Issue 6 | 2011 21


Steve

Durbin

What are the aims and

policies of the ISF?

We aim to supply authoritative

opinion and guidance on all aspects

of information risk management and

security. ISF membership is available to

all organisations, irrespective of size,

and many of our members are Fortune

500 and Forbes 2000 companies.

With the increasing focus on security

and the continuing move for this to

be viewed and treated as a business

risk issue, the ISF continues to support

its members through the provision

of research, risk assessment tools

and insight in a consistent and easily

accessible manner whether the

members are based in Asia Pacific,

Europe or the Americas.

Do you think that the

demands of CISOs are

driving the industry

effectively and are

vendors listening?

If you asked the majority of vendors

whether they listened to the demands

of their clients you’d get a resounding

YES! I also think if you asked the clients,

they’d say the vendors could always

do a better job of listening, or bringing

products to market faster, cheaper and

so it goes on.

One of the things that categorises the

ISF membership base, however, and sets

it apart from many others is that it is

made up of both of these constituent

parts. The ISF, therefore, gets to act as a

channel for CISOs to share their views on

how to drive the industry effectively and

for vendors to hook into that thought

leadership and to present their views

in a highly collaborative environment. A

good example of this would be the ISF

special interest group (SIG) on mobile

devices. Here we have some of the

world’s leading vendors and developers

of mobile devices and applications

coming together with some of the

world’s smartest user organisations to

collaborate on how mobile devices can

be made more secure in the enterprise

and consumer space.

Are CISOs and senior

security professionals

becoming more business

focused and has the ISF

changed to reflect this?

The role of the CISO has certainly

changed and I believe will continue to

change over the coming years. Security

is not an IT issue, it is a business issue

and one that has very real business

impact. So what can the CISO do and

indeed what can organisations do to

address these challenges effectively?

It will require the adoption of new

structures, governance and processes

that significantly change the ability of an

organisation to manage data breaches

and cyber threats. It is a significant

change that requires a refocus and

alignment with the business. The ISF

continues to change as our members

change to address the evolving and

emerging needs of the corporations that

make up the global membership.

Why is Europe struggling

to encourage young

people into a career in

information security?

Information security has had some

bad press in the past and is commonly

perceived as not a dynamic career

choice. Yet in fact, cyber is a world

of opportunity—and one where

thousands of public and private sector

organisations, and their billions of

customers, are now reaping major

benefits every day. Cyber security, far

from being a barrier, is actually a critical

enabler for organisations to harness the

opportunities available through taking

processes and activities online.

Given its unparalleled blend of massive

opportunities and profound threats,

operating securely and successfully

in the information security and cyber

environments is among the most

pressing and urgent issues facing

business and government leaders

today. Now that sounds like a pretty

interesting and challenging career

choice to me and that’s the message

we need to get across to young people!

Is consumerisation out of

control or can it be a positive

force in the enterprise?

It’s not out of control but it’s a fastgrowing

trend, and the pace of

development is only likely to increase as

the capabilities and popularity of these

devices continue to grow. Its simply

added further impetus to the need to

manage the use of such technology

at work. For example, the question of

who owns the device can also have

legal ramifications on mobile device

management and the remote wiping of

devices should the need arise.

The benefits of using such devices

at work include greater flexibility,

increased productivity and reduced

costs. They also open the way to

further innovation and the identification

of new business opportunities that

22 2011 | Inform – Issue 6

Steve Durbin Q&A

Steve Durbin is Global VP of the Information Security

Forum (ISF), an independent organisation that supplies

authoritative opinion and guidance on all aspects of

information security. It has 300 corporate members

around the globe.

previously did not exist. Organisations

urgently need to formulate a response

to this trend if they haven’t already done

so. It is a major focus area for the ISF.

How is social media

affecting the way CISOs do

their jobs, can they harness

the power of social media

for user awareness?

Social networking is an emerging trend

that has yet to reach maturity but one

that has achieved scale, is here to stay

and will continue to develop. Enterprises

can therefore take a number of views

– wait and see, restrict or ban the use

of social media in the workplace; this

clearly removes any of the risk but

also any of the potential benefits, or

alternatively, embrace social media

within the organisation with clearly

articulated guidelines around its use.

It boils down to what risk profile an

organisation wishes to run with.

Clear policies should be developed

within the enterprise that ensure

that everyone understands the

approach to social media that is being

adopted. CISOs that have embraced

social media can point to benefits

such as the use of social media to

raise user security awareness.

The ISF has talked about

the importance of the

“Smart Enterprise”, what

does it mean by this?

Cloud computing and other flexible

business solutions will affect

commercial organisations even

more in the future as they look to

replace many of their under-utilised

organisational assets or infrastructure

with “pay for usage” business models.

This marks the rise of the “Smart

Enterprise” – an increasingly flexible

business that relies on working with

best value providers in dynamic supply

chains whilst continually looking for

better control on business processes

by utilizing new developments.

However, even while the underlying

pace of change will continue to

accelerate, organisations in general and

smart enterprises in particular need to

be aware that there will continue to be

a balance between moving fast now

and the need for good governance,

planning and management. •

Inform – Issue 6 | 2011 23


Insights

i nsights

HP research shows 56 percent rise

in cost of cyber crime

New research reveals cyber attacks increasingly plague

businesses and government organisations and result in

significant financial impact, despite widespread awareness.

Conducted by the Ponemon Institute, the Second Annual Cost

of Cyber Crime Study revealed that the median annualised

cost of cybercrime incurred by a benchmark sample of

organisations was $5.9 million per year, with a range of

$1.5 million to $36.5 million each year per organisation. This

represents an increase of 56 percent from the median cost

reported in the inaugural study published in July 2010.

The study found that recovery and detection are the most

costly internal activities, highlighting a significant costreduction

opportunity for organisations that are able to

automate detection and recovery through enabling

security technologies.

Inform readers can download the study to better understand

the amount of investment and resources needed to prevent

or mitigate the financial consequences of an attack.

Download the study at this URL: http://bit.ly/rlFXI3

IT departments still not trusted in

the enterprise

Now in its fifth year, Cyber-Ark’s annual survey report Trust,

Security and Passwords recently examined the threat of

privileged users within an organisation and analysed the

views of over 1,400 IT staff and C-level professionals across

North America and EMEA.

The survey found that the IT department is still considered

the most untrustworthy, with 48% of global respondents

identifying it as the most likely to snoop around the network.

The study also found that the majority of employees would

take confidential data (66% of global respondents) if they left

their company, despite 87% of respondents acknowledging

that they had no right to this information.

The research highlights a number of key threats and

concerns. Overall it underlines the need for organisations to

implement robust security procedures to offer internal and

external protection of data from cyber-attacks.

Download the study at this URL: http://bit.ly/gBUqby

Global survey reveals almost 80% of

businesses experienced data loss in 2010

A recent survey by Check Point and the Ponemon Institute

showed that 77% of organisations experienced data loss in

the last year. The survey of 2,400 IT security administrators

showed the main cause for data loss was lost or stolen

equipment, followed by network attacks, insecure

mobile devices, Web 2.0 and file-sharing applications and

accidentally sending emails to the wrong recipient.

Furthermore, 49% of all respondents believe their employees

have little or no awareness about data security, compliance

and policies – meaning businesses should integrate more user

awareness into their data protection and DLP strategies.

Download the full survey at this URL: http://bit.ly/g81sl5

Research from HP Labs helps CISOs

make the right security investments

The increasing business reliance on IT and worsening threat

environment means that organisations are under pressure to

invest more in information security. But the choices are hard

when money is tight, objectives are not clear and there are

many experts and stakeholders.

A new HP research paper looks at these security economics

challenges by relating them to a realistic security problem

relating to client infrastructure. The study is aimed at

improving decision making, and suggests ways to proceed

and test for the impact of new methods on the actual

decision makers.

Download the study at this URL: http://bit.ly/pGJXWP

Paper suggests new ways to defend

against the threat of social engineering

Social engineering is the art of manipulating people into

taking actions that breach even the best technology-based

organisational defences. This dark art has been practiced by

criminals since the beginning of history and new examples crop

up on a daily basis. But new security techniques are available

to close this vulnerability by modifying employee behaviour.

Download the paper at this URL: http://bit.ly/iZIis6

24 2011 | Inform – Issue 6

Security Benchmarking

How does

your security

stack up?

Benchmarking, long used to measure IT effectiveness,

has recently started making inroads into information

security thinking. But is it an effective tool for CISOs?

Do some enterprises do security

better than you? Are they getting

better ROI on their security

investments and enjoy simply better

security efficiency? How do you

compare? These questions are what

security benchmarking is all about.

And it’s a subject appearing on the

radar of more and more security

leaders. As budgets get further

squeezed across the enterprise and

security professionals are expected

to justify any security spend, there

is a natural tendency to look outside

the company’s four walls and see how

competitors are performing. Most

importantly, they may be achieving

greater efficiencies and security

effectiveness by using similar

resources more effectively.

Your rivals may have innovated

by using cloud services or by

sub-contracted parts of their

security function to outsourced

teams. There may be a great

deal to learn if security leaders

and their teams started looking

beyond their own departments and

planning. Indeed their colleagues

in IT teams have long appreciated

the value of benchmarking.

“Benchmarking has been in use in

other IT disciplines for decades.

Whether it was data center

performance or network utilization,

companies have always felt

compelled to compare themselves to

others. It’s part of the competitive,

win at all costs mentality that

pervades business.” says Mike

Rothman from information security

analyst firm Securosis.

The problem for information security

is that it is only just emerging as

a business function akin to IT.

There has been little in the way of

concrete data for security leaders

to measure themselves against.

Some obvious questions are: How do

your number of incidents compare

to rivals? How does your headcount

compare and are you using your

budget effectively? Yet information

security, as we know, is harder to

quantify and measure discipline

compared to IT which can be mostly

reduced to simple cost efficiency and

productivity metrics.

Inform – Issue 6 | 2011 25


Meanwhile an effective security

program can be defined as one that

prevents breaches, serial hacking

and malware infection and so on.

And up until recently this was pretty

much considered the most effective

'box ticking' metric. But as already

mentioned as the security profile

has moved further up the corporate

food chain, senior management

want to know if the function is

working as well as it could – could

it be better? Are competitors doing

it better and gaining competitive

advantage and efficiencies? In a

difficult economy, it is now part

of the “win at all costs mentality”

that Mike Rothman spoke of.

The simple and obvious answer to

senior management for all these

questions is, “I don’t know”. So given

that you obviously can’t ring up your

counterpart at your rival and ask how

they do things, what can you do?

You then need a data source or,

better, a consultant partner that

has long-established credentials in

understanding and documenting

best-in-class security practices.

Most importantly it will have access

to benchmark data and security

metrics based on long term and direct

experience of working with security

leaders across different sectors and

industry verticals. It’s only by working

with a benchmarking partner that can

offer such insight can you hope to get

an accurate assessment of how your

security practice and technologies

stack up.

Before this however you must

determine what it is you and your

senior management actually want

to achieve from any benchmarking

process. A simple comparison is

pointless unless you can act on the

comparison results, learn from them

and make changes. Get back to CISO

leadership basics and remember that

you are leading a risk-based business

function and not an IT-based function.

A benchmarking assessment needs

to reassure management that

the department you are leading is

exposing them to the right degree of

risk and that the level of investment

to maintain that risk level is correct.

The benchmarking process may

reveal that the investment is too

high and data is over-protected

compared to rivals or it may reveal

a worrying degree of exposure

in which case more investment

is needed. Furthermore it may

reveal that investment has

been pushed towards the wrong

technologies and implementations.

It’s worth emphasising that this kind

of insight can only be achieved by

engaging a partner that can deliver

commensurate levels of experience

and benchmarking data for your

expectations and type and size

of enterprise.

There are other benchmarking

options available. Some organisations

offer access to benchmarking

databases (against a variety of ISO

and other industry standards) in

which you can conduct your own

exercise against that of similar

organisations. While this may give

a reasonable degree of accuracy,

information security is a fast moving

and evolving practice and some

benchmark data may well be out

of date. Ideally you need to engage

with a partner that can promise

almost up to the minute, real world

experience of security benchmarks

with resultant data sets. If you

have budget, you could carry out

a benchmarking study using a

combination of both.

Finally however, it’s worth quoting

these words from Mike Rothman:

“Security benchmarking is not a shortterm

fix – it’s a long-term journey.

One that requires commitment from

senior management and an ongoing

focus on applying lessons derived

from data to refine operational

activities, as well as a mechanism

to push for accountability from all

parts of the organization.” And that is

very much the essence of effective

security benchmarking. It’s about

business, not technology.

Benchmarking

Basics

1. Define precisely

what you want to achieve

from your benchmarking

exercise. This could be

to identify suspected

security gaps or to achieve

security efficiencies.

2. If the benchmarking

has been driven by enquiries

from the board make sure

that you work fully with it

when planning project goals.

3. Ensure that the goal

benchmarking exercise

is based on risk and

business benefits for

the enterprise and not

simply an end in itself.

4. Simplicity is the key.

Don’t try and benchmark

everything at once. Work

with your partner to

ensure that the right sort

of benchmarking process

is carried out to achieve

your stated goals.

5. Don’t compare apples

with oranges. You need to

compare your security set

up to similar organisations

not just in terms of

sector but also size.

6. Ensure that you

and your benchmarking

partner have access to

the right data sets for

your industry or vertical

from the outset. If this

proves difficult, you may

question the performance

of the partner and ask

questions. The wrong data

will skew your results.

7. Remember, in effective

security benchmarking,

data is king.

26 2011 | Inform – Issue 6

Page title

OCTOBER 26, 2011

www.focus11london.com

Don’t miss

FOCUS 11 London

Gain valuable knowledge from McAfee

executives, customers and other industry leaders.

FOCUS 11 London Security Conference offers an excellent

opportunity for decision makers, security industry influencers

and strategists to network with other professionals, get in-depth

security updates, and learn more about today’s most pressing

security challenges.

Topics include:

• Cyber security threats and trends

• Hacking

• Virtualization

• Mobile devices

Where:

BAFTA HQ, 195 Piccadilly, London W1J 9LN

When:

October 26, 2011

Sponsoring partner:

FOCUS 11 London Keynotes

RT Hon David Blunkett MP

Former Secretary of State

and Chairman ICSPA

Jacqueline de Rojas

Vice President, McAfee UK

and Ireland

Gert-Jan Schenk

President, EMEA, McAfee

Steve Shakespeare

Director, EMEA Enterprise

Solutions, Intel Corporation

FOCUS 11 London Highlights

Bennett Arron

Award-winning Writer,

Actor and Comedian

Nick Leeson

The Man Who Broke

Barings Bank

Bryan Glick

Editor in Chief of

Computer Weekly

For more information on FOCUS 11 London

sessions and the full agenda, visit:

www.Focus11London.com

Stuart McClure

Co-Author of

Hacking Exposed

227 Bath Road, Slough,

Berkshire SL1 5PP

Inform – Issue 6 | 2011 27


28 2011 | Inform – Issue 6

HP Inform Issue 6 '11 - EMEA.indd

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?