Information Security - Hewlett-Packard

Information Security - Hewlett-Packard

Information Security - Hewlett-Packard


Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

from HP Information Security

Issue 4 2011

Inform meets Stephen Bonner,

Barclays Risk Management guru.

He's also the most Influential Person

in Information Security, we find out

what makes him tick.

Banking on


7 Trends

for 2011

The top seven

trends that are

set to transform

information security in 2011 –

and beyond.

Lessons from

the CISO Club

A report from the

findings of the

influential CISO Club on

social networking, consumerisation

and more.

An Economic


A look at the

economic conditions

ahead and how they

will affect the decisions that CISOs

must make.

Check Point SmartEvent Software Blade

Turns Security Information


The SmartEvent Software Blade from Check Point is the fi rst and only unifi ed

event analysis and management solution that delivers real-time, actionable threat

management information.









©2003-2010 Check Point Software Technologies Ltd. All rights reserved.

Check Point, the Check Point logo and SmartEvent are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affi liates.


In this edition

4 News

Latest announcements,

products and updates from

leading security vendors.


Bob Dylan once sang “The Times They Are A-Changing”,

an acerbic and prophetic take on the social and cultural

upheavals about to engulf the 1960s, a decade that can

be described as truly transformational.

6 The Security Year

In Review

A look back at some of the

highs and lows of the year in

security, plus what happened

elsewhere in the world.

8 7 Trends for 2011

The top seven trends that are

set to transform information

security in 2011 – and beyond.

11 Interview: Stephen

Bonner, Barclays

Inform gets an audience with

the man voted the Most

Influential Man Person in

Information Security.

14 An Economic


A look at the economic

conditions ahead and how

they will affect the decisions

that CISOs must make.

19 The CISO Club

A report from the findings

of the influential CISO

Club on social networking,

consumerisation and more.

22 Q&A: Larry


The founder of the Ponemon

Institute shares his views on

security effectiveness, ROI

and the lessons he’s learned.

Fifty years on I believe we are on the

cusp of a transformation in our industry.

We have already seen huge changes

in technology and the social impact of

those. Information security has gradually

risen up the food chain to become a

board level concern. Threats to business

continuity have reached unprecedented

levels of sophistication – the presence of

politically and even militarily motivated

attacks is very real. At the same time,

financial attacks are now the domain of

ruthless international criminal gangs.

Change and transformation are the twin

themes that run through this issue of

Inform. If the security community is to

manage this change, industry leaders need

to provide best-in-class service levels.

Which is why I am delighted to introduce

HP Information Security to you. We’ve

fused the capability of the information

security specialist, Vistorm, with the

scale, dedicated R&D and innovation of

HP to create a dynamic new entity called

HP Information Security.

As CEO I am committed to our goal of

transforming security. We have the

finest security expertise and partners;

now backed up with the resources of the

world’s largest technology company. To

put that in perspective here’s just one

statistic: HP serves more than one billion

customers in more than 170 countries on

six continents. That’s some clout.

So what’s hot in this issue We look at

some of the key trends that CISOs and

their teams will need to be on top of in

2011 and beyond (page 8). Our interview

(page 11) features Stephen Bonner,

Managing Director, Barclays Information

Risk Management. It’s a great read and

shows why he was recently voted the

'Most Influential Man in Information

Security' by SC Magazine.

There’s a report on how the economic

conditions will impact security strategies

in 2011 with expert comment from

financial guru Justin Urquhart Stewart

(page 14)

You can tap into the findings of our

exclusive CISO Club (page 19) which

brings together some of the best minds in

information security. Of course we will be

running more CISO Clubs in the year ahead.

Next year will also see the return of

our highly successful and influential

Information Security Leaders events,

set to focus on the theme of security

transformation and change. I look

forward to welcoming you there.

The times they are a-changing for sure;

for us and our customers. But I am

excited by the challenges ahead and the

solutions that HP Information Security

will develop.

Dan Turner

CEO, HP Information Security

Issue 4 | 2011

Published by HP Information Security

Web: www.hp.com/info/security

For enquiries about Inform, please contact


Produced by °Crisp Design


Cover photography: Teri Pengilley

The third party views expressed in this magazine are

those of the contributors, for which HP Information

Security accepts no responsibility. Readers should

take appropriate professional advice before acting

on any issue raised. Reproduction in whole or in

part without permission is strictly prohibited.

© 2010, Hewlett-Packard Development Company, L.P.

All Rights Reserved.

When you have finished

with this magazine

please recycle it.



Check Point

Check Point wins best IPS and UTM

solutions in Information Security

Readers' Choice awards

Check Point scored a double success in the 2010

Information Security awards, winning the Readers' Choice

Award gold medal winner for Best Intrusion Prevention

solution and Best Unified Threat Management solutions.

The awards are selected by the readers and editors of

Information Security and SearchSecurity.com.

Check Point was also recognized for its leadership in

Network Access Control (NAC) and Secure Remote

Access, with Check Point Endpoint Security and

Connectra winning silver and bronze in their respective


"These awards clearly validate our products' strength,

performance and Check Point's pure focus on security.

Every vote is clear testament to our continued

commitment to security innovation," said Juliette Sultan,

head of global marketing at Check Point.

For further information visit: www.checkpoint.com


McAfee moves to speed delivery of

security solutions into virtualised


McAfee has announced its Management for Optimised

Virtual Environments (MOVE) platform, which it says

will speed the delivery of security and management

solutions into virtualised environments.

The anti-virus capable solution is claimed to be the

first to be delivered within a virtualised infrastructure

avoiding the problems of running a traditional anti-virus

in virtual machines.

“If you have anti-virus running on ten virtual machines

and they all attempt to scan at once you get AV

storming. It kills your CPU.” said Brian Foster, product

manager at McAfee

The new platform consists of a set of APIs that sit on top

of a hypervisor, or virtual machine monitor to optimise

security functions while minimising performance

overheads. This enables the system to offload the

scanning requirement to a guest virtual machine

operating on the same platform, meaning that the scan

only needs to run once.

For further information visit: www.mcafee.com

RSA RSA unveils new solution to deliver end-to-end data security

RSA, the security division of EMC, has announced its

new Data Protection Manager, a product designed to

give customers data protection capabilities built in to

the application.

According to RSA the product combines tokenisation and

application encryption, two popular application-based

controls, with advanced token and key management to

deliver end-to-end data security.

The company believes that by protecting data at the

source, within the application that's creating or using

it, the new product will help ensure seamless data

protection throughout the information lifecycle.

"The majority of on-line data breaches happen within the

server or application, so mitigating this risk is critical for

overall data protection," said Jon Oltsik, principal analyst,

Enterprise Strategy Group at RSA.

"Application-based data security provides a high-level

of protection because data is protected at the point

of capture and then remains protected throughout its

lifecycle. Application-based encryption and tokenisation

can be quite effective for this type of data security."

he said.

For further information visit: www.rsa.com

4 2011 | Inform - Issue 4


Check Point

Check Point extends its secure blade technology

to mobile workforce

Check Point has released its new Mobile Access Software, said to deliver

fast and secure access to corporate applications from mobile devices.

The new blade integrates advanced SSL VPN capabilities and encryption

technology to protect against security threats as users remotely connect

to the corporate network. Users can download the Check Point Mobile

application for secure, one-touch access directly from mobile devices

running on Apple, Android, Symbian and Windows PC platforms.

"With more users connecting remotely than ever before, mobile computing

presents an ongoing security challenge for organizations that want to

protect company data and resources, while providing employees with

access to the network anytime, anywhere," said Dorit Dor, vice president

of products at Check Point Software Technologies. "Our approach is to

simplify mobile security for businesses and their employees. Users can go

to the Apple app store and download the free application, enter their login

and password, and instantly gain secure access to their corporate data."

With certificate-based authentication and smart user-device pairing,

Check Point says that businesses can ensure each individual has access to

their authorized applications, just as they would from their desktop.

For further information visit: www.checkpoint.com


Websense Security Labs report proves growing

sophistication of cyber criminals

The 2010 Websense Threat Report shows that cybercriminals are

increasingly sophisticated, deploying targeted attacks. The report

suggests that blended attacks are exploiting security gaps left open by

legacy technologies like firewalls and AV tools.

"The continued rise of organized cyber criminal gangs and the emergence

of targeted advanced malware threats are the most concerning trend

we've seen." said Dan Hubbard, chief technology officer at Websense.

"Security needs to move ahead of the attackers and focus on contextual

classification. Simple binary access controls and castle and moat security

will not solve the complex attacks we see today."

According to the report, in 2010 cyber criminals adapted their strategies

to address social websites and sites with user-generated content. Many

attacks use new tricks and methods of delivery.

Trends predicted for 2011 include blended threats and data loss over the

dynamic Web and the potential for targeted cyber terrorism attacks.

For further information visit: www.websense.com/2010threatreport

Trend Micro

Trend Micro wins

Messaging Solution

of the Year at the

Computing Security

Awards 2010

Trend Micro has won its fourth

industry award in the UK in under

a year, at the Computing Security

Awards 2010. The Computing

Security Awards 2010 reward

achievement in technology

and Trend Micro’s Interscan

Messaging Security Virtual

Appliance won the Messaging

Solution of the Year category.

“To be honoured with an

award is to celebrate the

hard work and effort that

goes into developing and

supporting a product.

The victory is even more

significant when it is

our customers whose

satisfaction with Interscan

Messaging Security Virtual

Appliance has compelled

them to vote for it over

competitor solutions.”

said Tony Larks, Marketing

Director, EMEA at Trend Micro.

Interscan Messaging Security

Virtual Appliance has been

developed to stop new and

evolving threats before they can

enter a network, by utilising Trend

Micro’s cloud-based web and

email reputation technologies.

It also blocks unwanted mail

and blended threats with multilayered

anti-spam and awardwinning

malware protection.

For further information visit:


Inform - Issue 4 | 2011 5


As we look forward to

the New Year we take a

look back at some of the

headlines from another

eventful year in security.


The year kicked off with the news

the Gmail accounts of human rights

activists had been hacked in China

– thought by some to be the work

of the Chinese government. The

incident demonstrated that even

the biggest Internet companies

were vulnerable to hacks. Google

beefed up its security accordingly.

On a happier note the security

industry’s annual White Hat Ball not

only attracted more attendees than

ever before, it also raised £100,000

for the organisation’s chosen charity,

NSPCC Child Line. Well done.

February saw around 7,000 members

of the Association of Teachers

and Lecturers (ATL) affected by a

data breach following the loss of a

laptop and USB stick stolen from

the roadside while an ATL member

packed a car. Unfortunately as is

too typical, neither laptop nor USB

stick were encrypted. Oops.

Moving into April and the biggest news

in IT was the launch of Apple’s iPad. Not

since the iPhone's appearance in 2007

had one piece of technology garnered

so much fevered press coverage. Apple

claimed it sold more than 300,000 iPads

on launch day. Stories of jailbroken iPads

swiftly followed but to date Apple’s

tablet has proved resilient to malware.

In May, MessageLabs (now

Symantec Hosted Services)

reported that nine out of ten

spam emails contained a

URL link in the message and,

perhaps more worrying, five

per cent of all domains found

in spam URLs belonged to

genuine websites, including

those of the major social

networking sites. Further

evidence that proved that the

web was now the dominant

threat vector.

Twitter meanwhile went from strength

to strength with everyone in the known

world seemingly updating the world

on the minutiae of their lives. But the

site itself was starting to creak under

all the success and June saw a number

of outages and service disruptions,

mostly due to the World Cup. Worse

was to come in September when a

number of celebrities' Twitter sites were

hijacked. These were mostly pranks

but sadly it won’t be the last time

that Twitter users will be targeted.

The unusually named Hell Pizza chain

in New Zealand suffered one of the

year’s worse data breaches with the

passwords, emails, home addresses

and phone numbers of around 230,000

customers stolen from its database.

Some Kiwi celebrities were affected

by the breach in July but, according

to the New Zealand Herald at

least one maintained a sense of

humour over the incident.

It's been another eventful year

January: Gordon Brown faces

another attempted coup to oust him.

This time the instigators are Geoff

Hoon and Patricia Hewitt. It fails

February: A special EU Summit

takes place to try an solve the

worsening economic crisis in Greece

March: North Korea sinks South

Korean ship The Cheonan, leading

to rising tensions in the region

April: Apple

launches the iPad

to an expectant

world. Cynics are

confounded by

3 million sales in

the first 80 days

May: The

UK General Election ends in a hung

parliament. A coalition government

led by David Cameron is formed

June: The new

Chancellor George

delivers his first budget

speech. It’s the first

sign of the austerity

measures ahead

July: Andrés Iniesta

scores the only goal in

the World Cup final to

deliver the trophy to

Spain for the first time

6 2011 | Inform - Issue 4

2010 in review

in review

"My Twitter has been hacked, my

Facebook has been hacked and I'm

pretty sure half of New Zealand has

my phone number already. I have

nothing bad to say about Hell." said

local comedian Dai Henwood.

August brought the biggest and

most surprising industry news of the

year as Intel acquired McAfee for a

whopping $7.7bn. Some analysts were

mystified at the purchase but others

saw it as a “smart strategic move”

and one that could potentially embed

security controls at the heart of a

new generation of Intel processors.

The acquisition followed the trend

for the big IT corporations to acquire

and integrate security expertise.

The other big talking point at the

end of the summer was the growing

impact of the Stuxnet worm which,

was spreading further into the

wild. The controversy over Stuxnet

wasn’t just its sophistication and

highly targeted nature but who

actually created it in the first place

and why. One theory was it was

deliberately used to damage Iran’s

nuclear programme but to date this

has not been proven. Whatever its

origins, its creators were remiss in

not designing in a self-destruct. It

ended up damaging power supplies

in India and remains loose.

Then there was Firesheep. This

small extension to Firefox was

created and distributed by a

developer with the sole intention

of exposing a security flaw in the

browser. According to Firesheep’s

creator Eric Butler, it could enable

HTTP session hijacking – where

an attacker steals a user's cookie,

allowing them to do anything the

user can do on a particular website.

The little extension generated a huge

controversy and was downloaded

by security geeks the world over.

In November we had an

example of careless use of

the company email.

According to report in the

Daily Telegraph a banker at

UBS allegedly cost the Swiss

Bank millions in potential fees

after he sent an email to 100

people containing details of

General Motors upcoming

flotation, designed to help the

troubled car company raise

cash. The rogue email

resulted in UBS being

summarily dropped as the

underwriter on the deal.

Not good.

As Inform went to press, December

had not yet happened, but you

can be sure it brought its fair share

of scams, data embarrassments

and threats. Happy New Year

on the world stage...

August: The Food

Standards Agency

investigates allegations

that milk from the


of cloned cows is being

sold illegally in the UK

and elsewhere in Europe

September: BP finally seals the

leaking deepwater oil well that has

devastated the Gulf of Mexico

October: Wayne Rooney stuns

Manchester United saying he is

leaving, then changes his mind after

securing £160,000 a week deal

November: Prince William and

Kate Middleton cheer up the country by

announcing their engagement

December: After months

of planning, Vistorm officially

becomes HP Information Security,

ready to meet the security

challenges of 2011 and beyond •

Inform - Issue 4 | 2011 7


7 Trends

The year ahead will bring new challenges to the information

security community. We take a look at seven key trends

and technologies that 2011 will bring into sharp focus.




Organisations will find themselves

operating in an increasingly

interconnected and regulated

environments than ever before.

While the business benefits of closer

integration with partners, suppliers

and customers are indisputable,

there is an increased risk to data

and information sitting in the cloud

or beyond controlled enterprise

environments. New regulatory

powers will also bring compliance

and governance pressures to

bear on the CISO work load.

This means that organisations will

need to ensure that they have

enhanced information assurance

policies to satisfy regulators,

partners and most importantly,

customers. Those organisations

who fail to effectively manage risk

are potentially exposed to events

which can seriously damage financial

performance and reputation.




& Event Management

More organisations will be

investing in rapidly emerging

Security Information and Event

Management (SIEM) technologies.

These are seen by analysts as a

cost-effective and efficient way

of managing constantly evolving

threat landscapes and risks to the

enterprise from employee error.

The new breed of sophisticated

SIEM tools will be able to provide

an effective security posture

awareness, faster incident response,

in addition to meeting stringent

compliance reporting requirements.

The leading SIEM systems deploy and

use advanced software-based tools.

SIEM integrates security and

compliance with operational activities

and the best will enable enterprises

to achieve more comprehensive

security and compliance control

monitoring and reporting as well as

lower security operations costs.





As security becomes more

complicated to manage and stresses

increase, those businesses with

fewer resources will increasingly

turn towards Managed Security

Services (MSS) to partly or totally

outsource their security function.

The threats and compliance

pressures are no less for smaller

businesses but by turning to

dedicated MMS suppliers they

will access dedicated and fulltime

specialist expertise.

With the assurance of service

performance provided by Service

Level Agreements (SLAs),

companies can expect real-time

results by engaging MSS at a

lower cost of ownership than

managing security in-house.

At a time of continuing economic

uncertainty and budget cuts, the

MSS market is likely to become

highly competitive; customers will

demand the best and choose those

MSS providers that have top-line

resources and expertise drawn

from years of security experience.

8 2011 | Inform – Issue 4

7 Trends for 2011

for 2011





Risk management will become more

than a buzzword and establish itself

as an embedded component of the

security professional's armoury

as business change accelerates,

employment patterns oscillate

due to economic pressures and

enterprise technology shifts. The

ability to assess and manage the risk

to information and data assets does

demand an advanced set of skills and

experiences – mostly from outside

the traditional IT security sphere.

Larger enterprises are likely to

invest in risk management skills

and resources to keep on top while

smaller companies will look to

specialist consultancies to quantify

risk and define appropriate controls

– especially in relation to governance

and compliance requirements.





Related in part to risk management,

Situational Awareness is a set of

soft skills likely to emerge in 2011.

In a nutshell it involves being aware

of what is happening throughout the

business environment and the impact

any incident or activity may have.

Situational awareness enables

organisations to build a complete

picture of infrastructure activity

and help to reduce threat

profiles. A full understanding of

the operational picture and the

associated management functions,

particularly assists organisations

in achieving compliance with

applicable laws and regulations.



Risk & Compliance


In a way, Governance Risk and

Compliance systems are an amalgam of

many of the previous trends listed on

these pages. Driven by the complexity

of national and international laws

in relation to data assurance and

privacy, organisations will look to

combine both the technologies

and skills needed to manage

governance, risk and compliance.

This will be driven by the supplier and

vendor community looking to offer

end-to-end and bespoke solutions to

the enterprise. Enterprises for their

part will look to those suppliers who

can integrate disparate standards into

single view matrices combining ISO

27001, PCI, SOX and FSA standards as

well as stringent legal requirements.




Not a technology or an emerging skill of

course. Instead, greater expectations

are precisely what the security

professional will have of their service

providers and technology suppliers.

So complex is the threat landscape,

so disruptive the changes in IT

(consumerisation, virtualisation,

stepped outsourcing etc) that to

keep up, the security professional will

deal only with those organisations

and suppliers that can meet

those complexities. Those that

cannot may not survive.

Those expectations will increasingly

include the complete control and

management of risk, clear reporting

procedures and communications,

forensic analysis and genuine 24/7

support. Security professionals will

demand full visibility of timescales,

risks, cost and performance.

In short, they will want worldclass

information security.

Inform – Issue 4 | 2011 9



Is your information

security designed for the

relentless challenges that

are thrown at it How will

it meet the demands of

hyper-competitive business

and massive technological

change Or the almost

daily new security threats

More of the same is no longer an option.

It is time for a total transformation

of information security. And it is why

Information Security Leaders 2011

is devoted to enabling CISOs, CIOs,

IT and Security Managers to achieve

substantial change. There will be

insights from industry leaders, proven

strategies for successful transformation,

and purposeful innovation drawn from

the global information security market.

It is a recipe that has helped many

businesses keep ahead of the curve

on information security – and established

Information Security Leaders as the

pre-eminent information security

conference for the past three years.









To secure your place,

simply register at





Paul Fisher interviews Managing Director of Information Risk Management (IRM) at Barclays

Paul Fisher went to meet the man voted the

Most Influential Person in



The Managing Director of Information

Risk Management (IRM) at Barclays,

Stephen Bonner looks sharp. Suited and

booted – a man at the top of his game.

He’s looking trim too, thanks to a punishing training

schedule he is putting himself through in preparation for

the 2011 London Marathon. He is running to raise money

for NSPCC Childline, on behalf of the information security

industry’s own charitable organisation White Hat.

It’s surprising he finds the time but when you listen to

Bonner you quickly realise that he has the ability to

make complex multi-tasking – like the small matter

of managing risk for one of the world’s most powerful

banks, seem easy.

He also understands instinctively about where

technology ends and where risk management and

creative thinking takes over.

“I’m an advocate of balanced investment across a range

of controls. Some security teams have people who

come from a particular network security background.

Whenever they see a risk they decide to deploy another

piece of network technology rather than thinking about

maybe better ways to do it.”

Photography: Teri Pengilley

Inform – Issue 4 | 2011 11


“You see a disproportionate

investment in network

technologies, rather

than application security

technologies, even though

industry-wide lots of the

losses are at the application

layer. And there is the quite

insane decision by the

industry not to put money into

good user awareness.” he says.

User awareness is something that

Bonner is passionate about and his

advocacy has seen Barclays innovate

security awareness campaigns that

have gone on to win industry awards.

In no small part because Bonner

realised that a successful campaign

needs creative input – from experts

outside of his department.

“It’s actually more expensive to

produce bad content. You see

security teams who do awareness

badly by having a go themselves.

We wouldn’t get someone who had

spent years studying psychology

and writing media to come and

configure one of our firewalls”

he says.

Bonner believes that value is high

and the cost of good awareness

material is “remarkably low”

compared to the cost of some

very technical solutions that

people deploy. Some might argue

however that an organisation

with the resources of Barclays

can and will source and pay for

the best external suppliers.

“If you produce low quality content

people just walk past it. But I don’t

think it’s the budget that’s been

different here. I think there’s a very

strong support for dealing with this

issue and a willingness to try new

things. We’re just not interested in

doing things the same as everybody

else. We’re interested in actually

solving the problem” he says.

He points out that the IRM group’s

“Think Privacy” programme is

now available via a consortium

for free download on the

Information Commissioner’s Office

website for any organisation

to use so Barclays investment

is now able to help others.

For 2011 Bonner’s department has

come up with something of a first

in information security awareness

– a specially commissioned book.

Consequences is a collection

of anecdotes, short stories and

poems from some pretty stellar

names, Ricky Gervais among them,

all on the theme of minimising

risk. The little blue tome will

be distributed internally to

selected Barclays employees.

“We were able to work

through a literary agent who

had a series of big names.

It became very clear that

getting people to engage with

the risk messages is hard.

I’m passionate about it but

generally most people are

busy doing their job, they’ve

got their goals, they just want

to get that done.” he says.

“The challenge is get people to pay

attention to something. And the

names on the cover of the book help.

I don’t think anyone knows all of them

but everyone knows one or two.

But immediately the cover catches

people’s attention. And when they

hear that we’ve got some of these

names then it's a bit ‘my goodness!’”

he says.

12 2011 | Inform – Issue 4

Paul Fisher interviews Managing Director of Information Risk Management (IRM) at Barclays

And thanks to advances in just-intime

printing, Bonner explains that

it hasn’t cost that much either. Next

year there will be podcast versions

and an e-book of Consequences.

“We’ve got the rights and we are

intending to make it available to some

of our suppliers as we did with some

of the film and other training stuff.”

he says.

Bonner is also known to be an

advocate of enlightened, forward

thinking recruitment policies when it

comes to bolstering the IRM team. It’s

a broad church – which chimes with

Bonner’s own personality.

“Teams that have a variety

of viewpoints make better

decisions. If everybody is from

the same background, with

the same experiences – they

will agree and their level of

confidence in that decision will

be disproportionately high.

They won’t listen to anyone

who disagrees with them.

“If you get a group of people who

have a variety of experiences, both

in terms of academic training, in

terms of where they’ve grown up in

the world, industries they’ve worked

in, they bring different viewpoints.”

he says.

“We do select with some bias for

bright, driven, vocal people. But

beyond that it’s the proper reason for

diversity in that it’s to give us better

results. We have a team that works

well and people seem to judge us

as doing the right thing and doing it

well.” he says.

Bonner can be outspoken. He is

certainly not one to follow the herd

as anyone who has enjoyed any of

his numerous public appearances

will testify. He didn’t get where he is

today by signing up to “flavour of the

month” or fad technology.

“I’ve seen this earlier in my career.

Back in the day it was PKI, or IDS, or

it was DLP. There have been these

things that last year no one was

running a project on, this year pretty

much everyone is running a project

on it. In three years time how many

people will be running a project on it”

He likens it to five-year olds

playing football. No-one’s marking

anything – they all run after the

ball. In the end, as he explains,

it must come back to thinking

logically, looking at the facts and

concentrating on risk management.

Typically, he wants to learn from

outside his immediate industry.

“As we get more data we get better

about making decisions. It’s like

evidence based medicine and doubleblind

studies. You inoculate half of

the population and give the other half

a placebo and monitor the success

rate. There’s a lot of complicated

work to get good data but once you

get it you can tell if something works

or not.” he says.

“I may be naive or I may be

lucky but I’d like to see an

industry that can reduce the

amount of fear. People will

sell less magic beans, maybe

fewer boxes get shifted but

actually in the long term there

is a gain for the business to

add real value.” he says.

That day may still be some way off.

In the meantime Bonner is likely to

still get a kick from the things that

get him out of bed in the morning.

Like the challenge of solving

hard problems.

“Both the terrifying thing and brilliant

thing about information risk is when

you finally get it all working right

the other side change tactics and

completely invalidate everything

you’ve built. So it’s constant change

and much more challenging.” he says.

“Finding the best people,

getting them to work together

as a group, and seeing other

people’s success is brilliant. I

love that. Seeing people come

up through the ranks of my team

and then go on to be heads of

other places just feels right.

There’s a real sense of you’re

leaving people better than

when you found them and that

feels good. I think they’re the

kind of fun bits but I think really

what drives me is a sense, as a

shareholder, as a customer, an

employee of Barclays there’s a

total duty of care” he says.

It should come as no surprise that

Bonner is a keen social networker. He

ends our conversation be referring to

a meme currently doing the rounds

on Twitter. “It asks what would you

say to your 16 year old self What

message would you send back in time

to change your life I would say don’t

listen to what people in the future

say that you should do!”

“Once I was the sort of ferret, now

I’m a dinosaur. I would encourage

anyone in this industry to do things in

a different way, work out what really

works and do that. Don’t just do what

people tell you to do”. That’s Stephen

Bonner then. Influential in more ways

than one. •

Inform – Issue 4 | 2011 13


Sec rity

in an

Few people expect a return to the economic good times in 2011 or even further

beyond. The world economy took a major hit in 2008 and as financial expert Justin

Urquhart Stewart says it’s going to take more than a few years to get back on track.

This means that just like the rest

of us 2011 is likely to be another

uncertain year for the security

professional. But unlike the rest of us,

the security professional faces some

unique challenges in the workplace

and beyond.

Many CISOs will have already

experienced the pain of the last

two years and being expected to do

more with less against a background

of ever growing numbers and

sophistication of cyber threats –

witness the release and impact of

Stuxnet in mid-2010.

However that experience may well

have been a useful learning exercise

for the future as they seek to map

the concept of total security against

changing economic patterns. They

do at least know what they are up

against and may have a much better

idea of how to write security policies

and strategies from the starting point

that maximum value must be gained

from any new investment in staff or

technology. At the same time they

must continue to push security to the

heart of any business. The key term

for 2011 and beyond then is

Security Effectiveness”.

This is an area that the Ponemon

Institute has been researching and in

a study and report recently released

in partnership with HP Information

Security and Check Point (see details

at foot of article) it details how

CISOs and others can measure their

security effectiveness.

One of the key findings

from the report was that

security professionals did

not believe that their budget

was “sufficient to curtail

or minimise data breach

incidents”. The situation is

unlikely to change soon, given

the continuing uncertainty in

the wider economy and the

pressure from boards to make

savings. This is of course

especially true in a public

sector about to be hit by the

most stringent cuts in

a generation.

It appears that many security

professionals are still finding it

hard to make a business case for

their departments and strategies.

Worse, many are not even given the

opportunity to make a business case

for security.

Given the economic background it

is therefore imperative that CISOs

ensure they get that opportunity and

that know how to talk the language

of business and make the case for

effective security investment.

A pitfall to avoid is agreement on

return on investment (ROI). An agreed

ROI is extremely hard to measure in

security. The old conundrum for any

security professional is that the only

real “return” is that breaches, data

losses and attacks are either stopped

or minimised sufficiently.

In a downturn, a CFO may be tempted

to reduce the security budget or

demand numerous proofs that money

invested has been worthwhile. The

CFO sense is often that the same

results may be achieved with less


Therefore the CISO needs to be

able to argue a bullet-proof case

for continued and enhanced

investment. Security bosses need

to be absolutely sure of their own

effectiveness and, further, the

efficiency of their own departments.

That way CISOs can ensure that they

know absolutely what they need

when the budgets are written.

To help, as part of its research

Ponemon has released the Security

Effectiveness Framework Tool. This is

a questionnaire tool which analyses

the organisation across six major

areas: culture, security environment,

technologies, control activities,

governance and budget.

Such an empirical measure is likely

to be highly valuable in a continuing

14 2011 | Inform – Issue 4

The Economic Climate



climate of cost savings and efficiencies

throughout different sectors. Those

working in the public sector may look

to this tool with a certain degree of

enthusiasm and interest.

However, there are likely to be on

shifts in overall IT strategies across

all sectors. Chief Information Officers

(CIOs) will be looking to adopt

further mobile working, embrace

consumerisation and Bring Your Own

Computer (BYOC) policies as well as

accelerate cloud and virtualisation

deployments. The effective thing for

any CISO to do is make sure they are

there at the start of these shifts.

Global changes mean that

organisations will be working across

borders and with new partners, most

likely in the Far East. This too will

impact on security strategies and


There are undoubtedly economic

challenges ahead but if they bring

greater discipline and a more

scientific approach to security from

the CISO community it will benefit

them and the businesses they serve

to enhance and protect.

The Security Effectiveness Framework

Study can be downloaded from:



Drivers to a good Security

Effectiveness Rating

1 Appointment of a CISO or organisational leader for

information security.

2 Training and awareness programs on data protection

and security for end-users.

3 An organisational culture that respects privacy

and data protection

4 Executive-level support for security

5 Strong endpoint controls.

Source: Security Effectiveness Framework Study, Ponemon Institute

Inform – Issue 4 | 2011 15


The economic outlook for 2011 and

beyond: Justin Urquhart Stewart

Justin Urquhart Stewart is a co-founder of Seven Investment Management, a

business which manages around £3 billion on behalf of professional financial wealth

managers and intermediaries. He writes regularly for national magazines and

newspapers, and is a frequent commentator on television and radio, both in the UK

and abroad. Inform got an exclusive insight into his predictions for the economic

conditions ahead and the shift in economic power across the globe.

First the good news. He is

reasonably confident that the

UK won’t fall back into recession,

thus avoiding the much talked

about ‘double-dip’ that has been

consuming commentators for the

past few months.

However, this doesn’t mean that it is

full-steam ahead. “The economy is

still pretty insipid and and is likely to

remain so. We haven’t actually had

any cuts yet, we are still going to

have some serious difficulties ahead

when they come.” he says.

He is cautious that a second

recession will only be avoided as

long as the banks return to sensible

lending again and that the spending

cuts are genuinely spread over four

years. That way we may sustain a

reasonable level of growth and a

return to confidence.

“However we do face a number of

serious headwinds in terms of the

level exports not being particularly

strong, lending still weak and

consumer confidence remaining

weak too. The continuing lack of

confidence in the housing sector is

a worry.” he says.

“We will probably still get growth

but it will be very weak for some

time to come. We won’t see any

shrinkage unless the government

was stupid enough to carry out the

cuts wholesale. Some 39 per cent

of the working population is related

to state employment. State and

private employment are intrinsically

linked – both cubs sucking off the

same she-wolf.” he says.

Those expecting a quick return

to the good times are going to be

disappointed. We are likely to be in

the doldrums for some time yet.

As Urquhart Stewart explains, the

Western economies spent 15 years

building the boom. It will take time

to restructure the debt – not just

government debt but also the

billions tied up in personal debt.

“The UK economy needs to become

less consumer dependent and move

towards a manufacturing base. We

are a nation of small businesses.

This year will see 400,000 new

businesses being set up – not all will

survive. Even fewer will survive if

we don’t have a functioning banking

sector.” he says.

Urquhart Stewart sees continuing

difficulties in the retail and housing

sectors and for any one involved with

the public sector. However those

trading with the Far East are likely

to be in a stronger position as the

oriental consumer continues to grow

in importance and buying power.

“We will see a two speed global

economy. Western nations with the

exception of Germany will remain

slow while the the Eastern nations

with the exception of Japan will be

fast. The Eastern nations, SE Asia

and the emerging economies will

grow. But they may feel the pain of a

backlash from the United States with

increasingly protectionist noises

coming from there. We need to need

to avoid protectionism because

that way leads to a 1930s style

depression.” he says.

Urquhart Stewart believes that it

is unlikely that protectionism will

rear its ugly head. More likely the

US will continue with a policy of

quantitative easing which in effect

is a devaluation of the dollar, which

could lead to some problems as it

reduces the value of US bonds –

mostly bought by the Chinese.

There is one thing of which Urquhart

Stewart is absolutely convinced and

that is the irreversible shift in global

economic power that started even

before the global slowdown. This will

affect all our businesses and trading


“Politically and economically the

power has shifted to the East. The

world will look very different in 20

years time.” he says.

16 2011 | Inform – Issue 4


Enterprises around the world are relying on virtualisation to increase datacenter efficiency and, unknowingly,

leaving themselves more vulnerable. That’s because conventional security isn’t able to protect virtual machines

or see the traffic between them — leaving data and networks exposed. Which is why, according to Gartner, Inc., in

2009 sixty percent of virtual machines were less secure than their physical counterparts. But with Trend Micro

Enterprise Security, powered by the Trend Micro Smart Protection Network infrastructure, you can mitigate

the risk and maximize the benefits of virtualissation. It’s a different kind of security that protects your physical

and virtualised environments and helps set the foundation for your company to move confidently into the cloud.

Learn how to protect your virtualised datacenter.

Download the Trend Micro eBook at www.trendmicro.co.uk/server-security

Calling all Websense Web Filter Customers

We have an incredible offer for you.

Get a Free Subscription Upgrade to Websense® Web Security*

That’s right, Websense would like to offer you a free subscription upgrade to Websense

Web Security to protect your employees from spyware, bot nets, keyloggers and more.

All you have to do is renew your subscription using the Websense V5000 appliance,

and your license upgrade is on us.

When you upgrade, you get:

• Malware security categories that protect your organisation from malicious code,

spyware, phishing sites, and more, with real-time security updates.

• Performance at a value with the Websense V5000 appliance platform to support

Websense Web security.

• Investment protection with free hardware warranty and the ability to run Websense

Web Security Gateway on your V5000 appliance for security in the social Web.

For more information about Websense Web Security, go to


* Terms and Conditions:

Free upgrade offer is available only to current Websense Web Filter customers, and applies only to upgrade to Websense Web Security for a subscription renewal period of

equal to or greater than the duration of the existing subscription agreement. The free subscription upgrade requires the purchase of a minimum of one (1) Websense V5000

appliance, as well as Premium Support for the duration of the subscription agreement. Offer cannot be combined with any other offers or promotions with the exception of the

“3 years for the price of 2” promotion. Offer may not be available in all states or regions. Some additional terms and conditions may apply subject to federal guidelines. Offer

does not have any cash value and promotion may be cancelled at any time by Websense. Shipping charges, tax and support costs are the responsibility of the buyer.

Lessons from the CISO Club


from the

HP Information Security’s CISO Club events bring together some of the UK’s most

influential CISOs, who manage risk and security at FTSE 100 companies. Each event

allows them to brainstorm the future of business security and how it impacts on

future procurement

At the most recent meeting they discussed corporate social media, consumerisation

of IT and the identity management. We present some of the findings.

The attendees of the CISO Club were

keen to discuss three top line trends

that they felt were now seriously

impacting their enterprises. Three

big issues, each one developing its

own set of challenges and search

for solutions.

The first of these was the seemingly

unstoppable spread of social media

into the workplace and beyond. Social

media is here to stay and it is being

used by employees for personal use

and by companies themselves keen

to exploit the marketing and PR

opportunities that applications such

as Facebook and Twitter offer.

What CISOs need to grasp is that

while today Facebook and Twitter

dominate, tomorrow it may well be

another tool with as yet unknown

functionality as well, of course,

as opportunities. That is the key

point. Forward thinking CISOs will

understand that social media and

other web 2.0 applications must be

integrated securely so that their

power can then deliver the business

the benefits that they hold.

Social media can be managed,

even encouraged and exploited as

a positive force for the business.

We are only just scratching the

surface of the power of social media.

Already, applications can include

intra-enterprise communication and

sharing all the way to interactive

customer facing tools.

It’s not just about technology and

applications. It’s also about people.

CISOs must accept the reality of

social media and the integration of

“generation Y” into the enterprise. They

must be prepared also for the next

wave of social media tools.

As a start, CISOs can take the lead in

encouraging people to communicate

via social media as long as clear rules

are incorporated into social media

policies. These policies are likely to be

fluid but most crucially employees must

be aware of the social implications of

social networking. Beginning with that

message is a great start to enlightened

and secure use of social media.

Inform - Issue 4 | 2011 19


Bring Your Own Desktop

We are entering a new era in IT with

innovation and demand being driven

by the consumer rather than the

enterprise. Companies like Apple that

were once considered peripheral to

the business market are now integral

thanks to the widespread adoption

of devices such as the iPhone and

iPad and those devices which have

imitated Apple’s products. Employees

at every level are now attracted

to buying and using mobiles and

laptops of their own choosing in the

workplace – often in addition to the

company issued device.

This can have its advantages

however for the enterprise but as

usual, challenges for the CISO. Some

companies have started to adopt the

concept of Bring Your Own Desktop

(BYOD) as a way to deal with the

ongoing consumerisation of IT.

The advantages are clear: reduced

purchasing and support costs –

employees effectively provide their

own support, happier employees. The

dangers are increased exposure to

data leakage threats and the blurring

of personal and business activities on

a number of other devices: personal

smart phone, home PC, iPad, other

people’s devices. Quite often the

same “consumer” device is used for

work and pleasure.

This is the real challenge for the CISO

and by extension, the CIO. They must

not let themselves be blinded by

simple cost savings. Consumerisation

needs careful management – off

shoring procurement and support

costs to the employee is fine as long

as the enterprise retains control

of secure working on consumer

devices. This will undoubtedly

entail technical solutions such as

sand boxing and data encryption.

Consumerisation is the biggest

practical management issue that

CISOs will face in the next decade.

Identity management challenges

The third main topic of discussion

centred on identity management

which the group decided was still

central to effective enterprise

security. If you can verify that a

person is who they say they are

you can grant access. True enough,

but CISO leaders are starting to

think beyond identity management

and into identity protection in

order to evolve advanced identity

management policies.

This is a new challenge to CISOs and

brings with it some ethical and HR

related issues. Just as the enterprise

needs to monitor access does it also

have a duty to protect employee

identity from online predators

In an increasingly blurred home/

work environment, employees are

opening and closing online identities

throughout multiple environments.

The challenge then is for CISOs is to

determine where enterprise duty of

care begins and where it ends.



lessons from

1 Develop social media policies that reflect

the values and purpose of your enterprise

2 Listen to and learn from your enterprise

social community

3 Don’t try and control the method

of communication

4 Educate employees on the social

implications of social networking

5 Start developing your strategy for IT

consumerisation today – it will come to your

enterprise sooner than you think

6 Careful that cost savings of BYOD are not

outweighed by data loss costs

7 Determine where your responsibility for

employee identity lies

8 This the third age of computing, the CISO

role is about to change fundamentally

20 2011 | Inform - Issue 4

Put your

offi ce



Check Point


• Instantly turns any PC into

your own corporate desktop

• Provides virtual workspace

that keeps mobile data secure

• Delivers ideal solutions for

mobile workers, contractors

and disaster recovery



Secured connection


Portable, plug-and-play





In your long career

researching security, what

event or technology has

had the greatest impact

This is a complex question because

enabling technologies can have

a positive and negative impact. In

terms of making the world a safer

place, I choose encryption, access

governance and SIEM technologies.

In terms of creating insecurity for

people and companies, I see portable

data-bearing devices such as USB

memory sticks, smart phones and

laptop computers as the main culprits.

Do you think that the

business world now

“gets” the importance

of information security

to its survival

I think that business leaders have come

a long way over the past decade in

terms of their general understanding

and appreciation of information

security within their enterprise. Recent

Ponemon Institute research shows that

CEOs do believe information security

and data protection initiatives are

important to maintaining a company’s

reputation and brand. However, many

C-level executives are still out-of-touch

with the realities of information security

in terms of economic impact and the

resources necessary to accomplish

its mission. They often are unaware of

how vulnerable their organisations are

to attacks against their networks.

Are we entering a new age of

security enlightenment or a

dark age of cyber warfare

This is difficult to determine. On the

one hand, most security technologies

are becoming more effective, efficient

and easier to deploy. On the other hand,

the bad guys (a.k.a. cyber criminals) are

harder to stop because of sophisticated

attack vectors and greater stealth.

While I tend to be optimistic about the

future, I do foresee the possibility of

catastrophic cyber attacks against

local, national and global critical

infrastructure in the next few years.

Have we “lost” the

battle against malware

and does it matter

There is no doubt that the malware

problem is getting worse. Our

research shows that, on average,

about five percent of all enterprise IT

endpoints are infected with malware.

To make matters worse, a sizeable

percentage of these infections

infiltrate corporate networks and

enterprise systems. Until recently,

malware was just an annoyance (not

super critical to a company’s security

posture). However, this has changed

with the advent of data-stealing

malware and relational botnets.

You helped develop the

Security Effectiveness

Framework, how

important is effectiveness

to business security

Security effectiveness is very

important to business continuity

and success. Clearly, security

inefficiencies result in downtime, noncompliance

with regulations, opens

the door to cyber attack, causes data

leakage and a whole bunch of other

serious organisational maladies.

You’re not an advocate

of ROI in security

– why is that

I believe return on investment is a poor

metric for judging enabling security

technologies. The ROI model assumes

that a given investment maintains

a predictable or constant stream

of value over time. Unlike general IT,

the IT security ecosystem changes

very quickly in response to changing

threats, vulnerabilities and attacks.

A constantly changing attack profile

means the organization’s security

arsenal will not maintain a predictable

or constant level of value over time.

22 2011 | Inform - Issue 4

Quick Fire: Larry Ponemon Q&A

Dr. Larry Ponemon is the Chairman and Founder of the Ponemon Institute, a

leading research think tank dedicated to advancing privacy and data protection

practices. He consults with leading multinational organizations on global privacy

management programs and has extensive knowledge of regulatory frameworks

for managing privacy and data security. He also contributes to Computerworld,

CSO Magazine and other leading publications.

You’re an ex-Navy man

– are there any lessons

you learned in the Navy

that you have applied to

your academic work

proudest achievement was getting a

personal “thank you” note from the

President of the United States. •

Discipline, patience, duty and humor.

Beyond sea sickness, the Navy was

a very positive experience for me

especially with respect to developing

core research skills such as intelligence

gathering, analysis and reporting.

When not researching

security, what do you do

to relax

I enjoy life with my family, including

three lovely dogs. As an instrument

rated pilot, I enjoy flying my small

airplane (Mooney Acclaim) throughout

the United States and Canada.

I’m also an avid guitar collector

and player. I enjoy my electric

guitars most of all – including a

1972 custom Fender telecaster.

What has been your

proudest achievement

My proudest achievement was

seeing my two sons graduate from

university. The second proudest

achievement was successfully

defending my Ph.D. dissertation. My

third proudest achievement was

passing my pilot exam. A fourth

Inform – Issue 4 | 2011 23




EMC 2 , EMC, RSA, the EMC logo, the RSA logo, and where information lives are registered trademarks or trademarks of

EMC Corporation in the United States and other countries. © Copyright 2010 EMC Corporation. All rights reserved.

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!