from HP Information Security
Issue 4 2011
Inform meets Stephen Bonner,
Barclays Risk Management guru.
He's also the most Influential Person
in Information Security, we find out
what makes him tick.
The top seven
trends that are
set to transform
information security in 2011 –
the CISO Club
A report from the
findings of the
influential CISO Club on
social networking, consumerisation
A look at the
ahead and how they
will affect the decisions that CISOs
Check Point SmartEvent Software Blade
Turns Security Information
The SmartEvent Software Blade from Check Point is the fi rst and only unifi ed
event analysis and management solution that delivers real-time, actionable threat
©2003-2010 Check Point Software Technologies Ltd. All rights reserved.
Check Point, the Check Point logo and SmartEvent are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affi liates.
In this edition
products and updates from
leading security vendors.
Bob Dylan once sang “The Times They Are A-Changing”,
an acerbic and prophetic take on the social and cultural
upheavals about to engulf the 1960s, a decade that can
be described as truly transformational.
6 The Security Year
A look back at some of the
highs and lows of the year in
security, plus what happened
elsewhere in the world.
8 7 Trends for 2011
The top seven trends that are
set to transform information
security in 2011 – and beyond.
11 Interview: Stephen
Inform gets an audience with
the man voted the Most
Influential Man Person in
14 An Economic
A look at the economic
conditions ahead and how
they will affect the decisions
that CISOs must make.
19 The CISO Club
A report from the findings
of the influential CISO
Club on social networking,
consumerisation and more.
22 Q&A: Larry
The founder of the Ponemon
Institute shares his views on
security effectiveness, ROI
and the lessons he’s learned.
Fifty years on I believe we are on the
cusp of a transformation in our industry.
We have already seen huge changes
in technology and the social impact of
those. Information security has gradually
risen up the food chain to become a
board level concern. Threats to business
continuity have reached unprecedented
levels of sophistication – the presence of
politically and even militarily motivated
attacks is very real. At the same time,
financial attacks are now the domain of
ruthless international criminal gangs.
Change and transformation are the twin
themes that run through this issue of
Inform. If the security community is to
manage this change, industry leaders need
to provide best-in-class service levels.
Which is why I am delighted to introduce
HP Information Security to you. We’ve
fused the capability of the information
security specialist, Vistorm, with the
scale, dedicated R&D and innovation of
HP to create a dynamic new entity called
HP Information Security.
As CEO I am committed to our goal of
transforming security. We have the
finest security expertise and partners;
now backed up with the resources of the
world’s largest technology company. To
put that in perspective here’s just one
statistic: HP serves more than one billion
customers in more than 170 countries on
six continents. That’s some clout.
So what’s hot in this issue We look at
some of the key trends that CISOs and
their teams will need to be on top of in
2011 and beyond (page 8). Our interview
(page 11) features Stephen Bonner,
Managing Director, Barclays Information
Risk Management. It’s a great read and
shows why he was recently voted the
'Most Influential Man in Information
Security' by SC Magazine.
There’s a report on how the economic
conditions will impact security strategies
in 2011 with expert comment from
financial guru Justin Urquhart Stewart
You can tap into the findings of our
exclusive CISO Club (page 19) which
brings together some of the best minds in
information security. Of course we will be
running more CISO Clubs in the year ahead.
Next year will also see the return of
our highly successful and influential
Information Security Leaders events,
set to focus on the theme of security
transformation and change. I look
forward to welcoming you there.
The times they are a-changing for sure;
for us and our customers. But I am
excited by the challenges ahead and the
solutions that HP Information Security
CEO, HP Information Security
Issue 4 | 2011
Published by HP Information Security
For enquiries about Inform, please contact
Produced by °Crisp Design
Cover photography: Teri Pengilley
The third party views expressed in this magazine are
those of the contributors, for which HP Information
Security accepts no responsibility. Readers should
take appropriate professional advice before acting
on any issue raised. Reproduction in whole or in
part without permission is strictly prohibited.
© 2010, Hewlett-Packard Development Company, L.P.
All Rights Reserved.
When you have finished
with this magazine
please recycle it.
Check Point wins best IPS and UTM
solutions in Information Security
Readers' Choice awards
Check Point scored a double success in the 2010
Information Security awards, winning the Readers' Choice
Award gold medal winner for Best Intrusion Prevention
solution and Best Unified Threat Management solutions.
The awards are selected by the readers and editors of
Information Security and SearchSecurity.com.
Check Point was also recognized for its leadership in
Network Access Control (NAC) and Secure Remote
Access, with Check Point Endpoint Security and
Connectra winning silver and bronze in their respective
"These awards clearly validate our products' strength,
performance and Check Point's pure focus on security.
Every vote is clear testament to our continued
commitment to security innovation," said Juliette Sultan,
head of global marketing at Check Point.
For further information visit: www.checkpoint.com
McAfee moves to speed delivery of
security solutions into virtualised
McAfee has announced its Management for Optimised
Virtual Environments (MOVE) platform, which it says
will speed the delivery of security and management
solutions into virtualised environments.
The anti-virus capable solution is claimed to be the
first to be delivered within a virtualised infrastructure
avoiding the problems of running a traditional anti-virus
in virtual machines.
“If you have anti-virus running on ten virtual machines
and they all attempt to scan at once you get AV
storming. It kills your CPU.” said Brian Foster, product
manager at McAfee
The new platform consists of a set of APIs that sit on top
of a hypervisor, or virtual machine monitor to optimise
security functions while minimising performance
overheads. This enables the system to offload the
scanning requirement to a guest virtual machine
operating on the same platform, meaning that the scan
only needs to run once.
For further information visit: www.mcafee.com
RSA RSA unveils new solution to deliver end-to-end data security
RSA, the security division of EMC, has announced its
new Data Protection Manager, a product designed to
give customers data protection capabilities built in to
According to RSA the product combines tokenisation and
application encryption, two popular application-based
controls, with advanced token and key management to
deliver end-to-end data security.
The company believes that by protecting data at the
source, within the application that's creating or using
it, the new product will help ensure seamless data
protection throughout the information lifecycle.
"The majority of on-line data breaches happen within the
server or application, so mitigating this risk is critical for
overall data protection," said Jon Oltsik, principal analyst,
Enterprise Strategy Group at RSA.
"Application-based data security provides a high-level
of protection because data is protected at the point
of capture and then remains protected throughout its
lifecycle. Application-based encryption and tokenisation
can be quite effective for this type of data security."
For further information visit: www.rsa.com
4 2011 | Inform - Issue 4
Check Point extends its secure blade technology
to mobile workforce
Check Point has released its new Mobile Access Software, said to deliver
fast and secure access to corporate applications from mobile devices.
The new blade integrates advanced SSL VPN capabilities and encryption
technology to protect against security threats as users remotely connect
to the corporate network. Users can download the Check Point Mobile
application for secure, one-touch access directly from mobile devices
running on Apple, Android, Symbian and Windows PC platforms.
"With more users connecting remotely than ever before, mobile computing
presents an ongoing security challenge for organizations that want to
protect company data and resources, while providing employees with
access to the network anytime, anywhere," said Dorit Dor, vice president
of products at Check Point Software Technologies. "Our approach is to
simplify mobile security for businesses and their employees. Users can go
to the Apple app store and download the free application, enter their login
and password, and instantly gain secure access to their corporate data."
With certificate-based authentication and smart user-device pairing,
Check Point says that businesses can ensure each individual has access to
their authorized applications, just as they would from their desktop.
For further information visit: www.checkpoint.com
Websense Security Labs report proves growing
sophistication of cyber criminals
The 2010 Websense Threat Report shows that cybercriminals are
increasingly sophisticated, deploying targeted attacks. The report
suggests that blended attacks are exploiting security gaps left open by
legacy technologies like firewalls and AV tools.
"The continued rise of organized cyber criminal gangs and the emergence
of targeted advanced malware threats are the most concerning trend
we've seen." said Dan Hubbard, chief technology officer at Websense.
"Security needs to move ahead of the attackers and focus on contextual
classification. Simple binary access controls and castle and moat security
will not solve the complex attacks we see today."
According to the report, in 2010 cyber criminals adapted their strategies
to address social websites and sites with user-generated content. Many
attacks use new tricks and methods of delivery.
Trends predicted for 2011 include blended threats and data loss over the
dynamic Web and the potential for targeted cyber terrorism attacks.
For further information visit: www.websense.com/2010threatreport
Trend Micro wins
of the Year at the
Trend Micro has won its fourth
industry award in the UK in under
a year, at the Computing Security
Awards 2010. The Computing
Security Awards 2010 reward
achievement in technology
and Trend Micro’s Interscan
Messaging Security Virtual
Appliance won the Messaging
Solution of the Year category.
“To be honoured with an
award is to celebrate the
hard work and effort that
goes into developing and
supporting a product.
The victory is even more
significant when it is
our customers whose
satisfaction with Interscan
Messaging Security Virtual
Appliance has compelled
them to vote for it over
said Tony Larks, Marketing
Director, EMEA at Trend Micro.
Interscan Messaging Security
Virtual Appliance has been
developed to stop new and
evolving threats before they can
enter a network, by utilising Trend
Micro’s cloud-based web and
email reputation technologies.
It also blocks unwanted mail
and blended threats with multilayered
anti-spam and awardwinning
For further information visit:
Inform - Issue 4 | 2011 5
As we look forward to
the New Year we take a
look back at some of the
headlines from another
eventful year in security.
The year kicked off with the news
the Gmail accounts of human rights
activists had been hacked in China
– thought by some to be the work
of the Chinese government. The
incident demonstrated that even
the biggest Internet companies
were vulnerable to hacks. Google
beefed up its security accordingly.
On a happier note the security
industry’s annual White Hat Ball not
only attracted more attendees than
ever before, it also raised £100,000
for the organisation’s chosen charity,
NSPCC Child Line. Well done.
February saw around 7,000 members
of the Association of Teachers
and Lecturers (ATL) affected by a
data breach following the loss of a
laptop and USB stick stolen from
the roadside while an ATL member
packed a car. Unfortunately as is
too typical, neither laptop nor USB
stick were encrypted. Oops.
Moving into April and the biggest news
in IT was the launch of Apple’s iPad. Not
since the iPhone's appearance in 2007
had one piece of technology garnered
so much fevered press coverage. Apple
claimed it sold more than 300,000 iPads
on launch day. Stories of jailbroken iPads
swiftly followed but to date Apple’s
tablet has proved resilient to malware.
In May, MessageLabs (now
Symantec Hosted Services)
reported that nine out of ten
spam emails contained a
URL link in the message and,
perhaps more worrying, five
per cent of all domains found
in spam URLs belonged to
genuine websites, including
those of the major social
networking sites. Further
evidence that proved that the
web was now the dominant
Twitter meanwhile went from strength
to strength with everyone in the known
world seemingly updating the world
on the minutiae of their lives. But the
site itself was starting to creak under
all the success and June saw a number
of outages and service disruptions,
mostly due to the World Cup. Worse
was to come in September when a
number of celebrities' Twitter sites were
hijacked. These were mostly pranks
but sadly it won’t be the last time
that Twitter users will be targeted.
The unusually named Hell Pizza chain
in New Zealand suffered one of the
year’s worse data breaches with the
passwords, emails, home addresses
and phone numbers of around 230,000
customers stolen from its database.
Some Kiwi celebrities were affected
by the breach in July but, according
to the New Zealand Herald at
least one maintained a sense of
humour over the incident.
It's been another eventful year
January: Gordon Brown faces
another attempted coup to oust him.
This time the instigators are Geoff
Hoon and Patricia Hewitt. It fails
February: A special EU Summit
takes place to try an solve the
worsening economic crisis in Greece
March: North Korea sinks South
Korean ship The Cheonan, leading
to rising tensions in the region
launches the iPad
to an expectant
world. Cynics are
3 million sales in
the first 80 days
UK General Election ends in a hung
parliament. A coalition government
led by David Cameron is formed
June: The new
delivers his first budget
speech. It’s the first
sign of the austerity
July: Andrés Iniesta
scores the only goal in
the World Cup final to
deliver the trophy to
Spain for the first time
6 2011 | Inform - Issue 4
2010 in review
"My Twitter has been hacked, my
Facebook has been hacked and I'm
pretty sure half of New Zealand has
my phone number already. I have
nothing bad to say about Hell." said
local comedian Dai Henwood.
August brought the biggest and
most surprising industry news of the
year as Intel acquired McAfee for a
whopping $7.7bn. Some analysts were
mystified at the purchase but others
saw it as a “smart strategic move”
and one that could potentially embed
security controls at the heart of a
new generation of Intel processors.
The acquisition followed the trend
for the big IT corporations to acquire
and integrate security expertise.
The other big talking point at the
end of the summer was the growing
impact of the Stuxnet worm which,
was spreading further into the
wild. The controversy over Stuxnet
wasn’t just its sophistication and
highly targeted nature but who
actually created it in the first place
and why. One theory was it was
deliberately used to damage Iran’s
nuclear programme but to date this
has not been proven. Whatever its
origins, its creators were remiss in
not designing in a self-destruct. It
ended up damaging power supplies
in India and remains loose.
Then there was Firesheep. This
small extension to Firefox was
created and distributed by a
developer with the sole intention
of exposing a security flaw in the
browser. According to Firesheep’s
creator Eric Butler, it could enable
HTTP session hijacking – where
an attacker steals a user's cookie,
allowing them to do anything the
user can do on a particular website.
The little extension generated a huge
controversy and was downloaded
by security geeks the world over.
In November we had an
example of careless use of
the company email.
According to report in the
Daily Telegraph a banker at
UBS allegedly cost the Swiss
Bank millions in potential fees
after he sent an email to 100
people containing details of
General Motors upcoming
flotation, designed to help the
troubled car company raise
cash. The rogue email
resulted in UBS being
summarily dropped as the
underwriter on the deal.
As Inform went to press, December
had not yet happened, but you
can be sure it brought its fair share
of scams, data embarrassments
and threats. Happy New Year
on the world stage...
August: The Food
that milk from the
of cloned cows is being
sold illegally in the UK
and elsewhere in Europe
September: BP finally seals the
leaking deepwater oil well that has
devastated the Gulf of Mexico
October: Wayne Rooney stuns
Manchester United saying he is
leaving, then changes his mind after
securing £160,000 a week deal
November: Prince William and
Kate Middleton cheer up the country by
announcing their engagement
December: After months
of planning, Vistorm officially
becomes HP Information Security,
ready to meet the security
challenges of 2011 and beyond •
Inform - Issue 4 | 2011 7
The year ahead will bring new challenges to the information
security community. We take a look at seven key trends
and technologies that 2011 will bring into sharp focus.
Organisations will find themselves
operating in an increasingly
interconnected and regulated
environments than ever before.
While the business benefits of closer
integration with partners, suppliers
and customers are indisputable,
there is an increased risk to data
and information sitting in the cloud
or beyond controlled enterprise
environments. New regulatory
powers will also bring compliance
and governance pressures to
bear on the CISO work load.
This means that organisations will
need to ensure that they have
enhanced information assurance
policies to satisfy regulators,
partners and most importantly,
customers. Those organisations
who fail to effectively manage risk
are potentially exposed to events
which can seriously damage financial
performance and reputation.
& Event Management
More organisations will be
investing in rapidly emerging
Security Information and Event
Management (SIEM) technologies.
These are seen by analysts as a
cost-effective and efficient way
of managing constantly evolving
threat landscapes and risks to the
enterprise from employee error.
The new breed of sophisticated
SIEM tools will be able to provide
an effective security posture
awareness, faster incident response,
in addition to meeting stringent
compliance reporting requirements.
The leading SIEM systems deploy and
use advanced software-based tools.
SIEM integrates security and
compliance with operational activities
and the best will enable enterprises
to achieve more comprehensive
security and compliance control
monitoring and reporting as well as
lower security operations costs.
As security becomes more
complicated to manage and stresses
increase, those businesses with
fewer resources will increasingly
turn towards Managed Security
Services (MSS) to partly or totally
outsource their security function.
The threats and compliance
pressures are no less for smaller
businesses but by turning to
dedicated MMS suppliers they
will access dedicated and fulltime
With the assurance of service
performance provided by Service
Level Agreements (SLAs),
companies can expect real-time
results by engaging MSS at a
lower cost of ownership than
managing security in-house.
At a time of continuing economic
uncertainty and budget cuts, the
MSS market is likely to become
highly competitive; customers will
demand the best and choose those
MSS providers that have top-line
resources and expertise drawn
from years of security experience.
8 2011 | Inform – Issue 4
7 Trends for 2011
Risk management will become more
than a buzzword and establish itself
as an embedded component of the
security professional's armoury
as business change accelerates,
employment patterns oscillate
due to economic pressures and
enterprise technology shifts. The
ability to assess and manage the risk
to information and data assets does
demand an advanced set of skills and
experiences – mostly from outside
the traditional IT security sphere.
Larger enterprises are likely to
invest in risk management skills
and resources to keep on top while
smaller companies will look to
specialist consultancies to quantify
risk and define appropriate controls
– especially in relation to governance
and compliance requirements.
Related in part to risk management,
Situational Awareness is a set of
soft skills likely to emerge in 2011.
In a nutshell it involves being aware
of what is happening throughout the
business environment and the impact
any incident or activity may have.
Situational awareness enables
organisations to build a complete
picture of infrastructure activity
and help to reduce threat
profiles. A full understanding of
the operational picture and the
associated management functions,
particularly assists organisations
in achieving compliance with
applicable laws and regulations.
Risk & Compliance
In a way, Governance Risk and
Compliance systems are an amalgam of
many of the previous trends listed on
these pages. Driven by the complexity
of national and international laws
in relation to data assurance and
privacy, organisations will look to
combine both the technologies
and skills needed to manage
governance, risk and compliance.
This will be driven by the supplier and
vendor community looking to offer
end-to-end and bespoke solutions to
the enterprise. Enterprises for their
part will look to those suppliers who
can integrate disparate standards into
single view matrices combining ISO
27001, PCI, SOX and FSA standards as
well as stringent legal requirements.
Not a technology or an emerging skill of
course. Instead, greater expectations
are precisely what the security
professional will have of their service
providers and technology suppliers.
So complex is the threat landscape,
so disruptive the changes in IT
stepped outsourcing etc) that to
keep up, the security professional will
deal only with those organisations
and suppliers that can meet
those complexities. Those that
cannot may not survive.
Those expectations will increasingly
include the complete control and
management of risk, clear reporting
procedures and communications,
forensic analysis and genuine 24/7
support. Security professionals will
demand full visibility of timescales,
risks, cost and performance.
In short, they will want worldclass
Inform – Issue 4 | 2011 9
Is your information
security designed for the
relentless challenges that
are thrown at it How will
it meet the demands of
and massive technological
change Or the almost
daily new security threats
More of the same is no longer an option.
It is time for a total transformation
of information security. And it is why
Information Security Leaders 2011
is devoted to enabling CISOs, CIOs,
IT and Security Managers to achieve
substantial change. There will be
insights from industry leaders, proven
strategies for successful transformation,
and purposeful innovation drawn from
the global information security market.
It is a recipe that has helped many
businesses keep ahead of the curve
on information security – and established
Information Security Leaders as the
pre-eminent information security
conference for the past three years.
To secure your place,
simply register at
IN PARTNERSHIP WITH
Paul Fisher interviews Managing Director of Information Risk Management (IRM) at Barclays
Paul Fisher went to meet the man voted the
Most Influential Person in
The Managing Director of Information
Risk Management (IRM) at Barclays,
Stephen Bonner looks sharp. Suited and
booted – a man at the top of his game.
He’s looking trim too, thanks to a punishing training
schedule he is putting himself through in preparation for
the 2011 London Marathon. He is running to raise money
for NSPCC Childline, on behalf of the information security
industry’s own charitable organisation White Hat.
It’s surprising he finds the time but when you listen to
Bonner you quickly realise that he has the ability to
make complex multi-tasking – like the small matter
of managing risk for one of the world’s most powerful
banks, seem easy.
He also understands instinctively about where
technology ends and where risk management and
creative thinking takes over.
“I’m an advocate of balanced investment across a range
of controls. Some security teams have people who
come from a particular network security background.
Whenever they see a risk they decide to deploy another
piece of network technology rather than thinking about
maybe better ways to do it.”
Photography: Teri Pengilley
Inform – Issue 4 | 2011 11
“You see a disproportionate
investment in network
than application security
technologies, even though
industry-wide lots of the
losses are at the application
layer. And there is the quite
insane decision by the
industry not to put money into
good user awareness.” he says.
User awareness is something that
Bonner is passionate about and his
advocacy has seen Barclays innovate
security awareness campaigns that
have gone on to win industry awards.
In no small part because Bonner
realised that a successful campaign
needs creative input – from experts
outside of his department.
“It’s actually more expensive to
produce bad content. You see
security teams who do awareness
badly by having a go themselves.
We wouldn’t get someone who had
spent years studying psychology
and writing media to come and
configure one of our firewalls”
Bonner believes that value is high
and the cost of good awareness
material is “remarkably low”
compared to the cost of some
very technical solutions that
people deploy. Some might argue
however that an organisation
with the resources of Barclays
can and will source and pay for
the best external suppliers.
“If you produce low quality content
people just walk past it. But I don’t
think it’s the budget that’s been
different here. I think there’s a very
strong support for dealing with this
issue and a willingness to try new
things. We’re just not interested in
doing things the same as everybody
else. We’re interested in actually
solving the problem” he says.
He points out that the IRM group’s
“Think Privacy” programme is
now available via a consortium
for free download on the
Information Commissioner’s Office
website for any organisation
to use so Barclays investment
is now able to help others.
For 2011 Bonner’s department has
come up with something of a first
in information security awareness
– a specially commissioned book.
Consequences is a collection
of anecdotes, short stories and
poems from some pretty stellar
names, Ricky Gervais among them,
all on the theme of minimising
risk. The little blue tome will
be distributed internally to
selected Barclays employees.
“We were able to work
through a literary agent who
had a series of big names.
It became very clear that
getting people to engage with
the risk messages is hard.
I’m passionate about it but
generally most people are
busy doing their job, they’ve
got their goals, they just want
to get that done.” he says.
“The challenge is get people to pay
attention to something. And the
names on the cover of the book help.
I don’t think anyone knows all of them
but everyone knows one or two.
But immediately the cover catches
people’s attention. And when they
hear that we’ve got some of these
names then it's a bit ‘my goodness!’”
12 2011 | Inform – Issue 4
Paul Fisher interviews Managing Director of Information Risk Management (IRM) at Barclays
And thanks to advances in just-intime
printing, Bonner explains that
it hasn’t cost that much either. Next
year there will be podcast versions
and an e-book of Consequences.
“We’ve got the rights and we are
intending to make it available to some
of our suppliers as we did with some
of the film and other training stuff.”
Bonner is also known to be an
advocate of enlightened, forward
thinking recruitment policies when it
comes to bolstering the IRM team. It’s
a broad church – which chimes with
Bonner’s own personality.
“Teams that have a variety
of viewpoints make better
decisions. If everybody is from
the same background, with
the same experiences – they
will agree and their level of
confidence in that decision will
be disproportionately high.
They won’t listen to anyone
who disagrees with them.
“If you get a group of people who
have a variety of experiences, both
in terms of academic training, in
terms of where they’ve grown up in
the world, industries they’ve worked
in, they bring different viewpoints.”
“We do select with some bias for
bright, driven, vocal people. But
beyond that it’s the proper reason for
diversity in that it’s to give us better
results. We have a team that works
well and people seem to judge us
as doing the right thing and doing it
well.” he says.
Bonner can be outspoken. He is
certainly not one to follow the herd
as anyone who has enjoyed any of
his numerous public appearances
will testify. He didn’t get where he is
today by signing up to “flavour of the
month” or fad technology.
“I’ve seen this earlier in my career.
Back in the day it was PKI, or IDS, or
it was DLP. There have been these
things that last year no one was
running a project on, this year pretty
much everyone is running a project
on it. In three years time how many
people will be running a project on it”
He likens it to five-year olds
playing football. No-one’s marking
anything – they all run after the
ball. In the end, as he explains,
it must come back to thinking
logically, looking at the facts and
concentrating on risk management.
Typically, he wants to learn from
outside his immediate industry.
“As we get more data we get better
about making decisions. It’s like
evidence based medicine and doubleblind
studies. You inoculate half of
the population and give the other half
a placebo and monitor the success
rate. There’s a lot of complicated
work to get good data but once you
get it you can tell if something works
or not.” he says.
“I may be naive or I may be
lucky but I’d like to see an
industry that can reduce the
amount of fear. People will
sell less magic beans, maybe
fewer boxes get shifted but
actually in the long term there
is a gain for the business to
add real value.” he says.
That day may still be some way off.
In the meantime Bonner is likely to
still get a kick from the things that
get him out of bed in the morning.
Like the challenge of solving
“Both the terrifying thing and brilliant
thing about information risk is when
you finally get it all working right
the other side change tactics and
completely invalidate everything
you’ve built. So it’s constant change
and much more challenging.” he says.
“Finding the best people,
getting them to work together
as a group, and seeing other
people’s success is brilliant. I
love that. Seeing people come
up through the ranks of my team
and then go on to be heads of
other places just feels right.
There’s a real sense of you’re
leaving people better than
when you found them and that
feels good. I think they’re the
kind of fun bits but I think really
what drives me is a sense, as a
shareholder, as a customer, an
employee of Barclays there’s a
total duty of care” he says.
It should come as no surprise that
Bonner is a keen social networker. He
ends our conversation be referring to
a meme currently doing the rounds
on Twitter. “It asks what would you
say to your 16 year old self What
message would you send back in time
to change your life I would say don’t
listen to what people in the future
say that you should do!”
“Once I was the sort of ferret, now
I’m a dinosaur. I would encourage
anyone in this industry to do things in
a different way, work out what really
works and do that. Don’t just do what
people tell you to do”. That’s Stephen
Bonner then. Influential in more ways
than one. •
Inform – Issue 4 | 2011 13
Few people expect a return to the economic good times in 2011 or even further
beyond. The world economy took a major hit in 2008 and as financial expert Justin
Urquhart Stewart says it’s going to take more than a few years to get back on track.
This means that just like the rest
of us 2011 is likely to be another
uncertain year for the security
professional. But unlike the rest of us,
the security professional faces some
unique challenges in the workplace
Many CISOs will have already
experienced the pain of the last
two years and being expected to do
more with less against a background
of ever growing numbers and
sophistication of cyber threats –
witness the release and impact of
Stuxnet in mid-2010.
However that experience may well
have been a useful learning exercise
for the future as they seek to map
the concept of total security against
changing economic patterns. They
do at least know what they are up
against and may have a much better
idea of how to write security policies
and strategies from the starting point
that maximum value must be gained
from any new investment in staff or
technology. At the same time they
must continue to push security to the
heart of any business. The key term
for 2011 and beyond then is
This is an area that the Ponemon
Institute has been researching and in
a study and report recently released
in partnership with HP Information
Security and Check Point (see details
at foot of article) it details how
CISOs and others can measure their
One of the key findings
from the report was that
security professionals did
not believe that their budget
was “sufficient to curtail
or minimise data breach
incidents”. The situation is
unlikely to change soon, given
the continuing uncertainty in
the wider economy and the
pressure from boards to make
savings. This is of course
especially true in a public
sector about to be hit by the
most stringent cuts in
It appears that many security
professionals are still finding it
hard to make a business case for
their departments and strategies.
Worse, many are not even given the
opportunity to make a business case
Given the economic background it
is therefore imperative that CISOs
ensure they get that opportunity and
that know how to talk the language
of business and make the case for
effective security investment.
A pitfall to avoid is agreement on
return on investment (ROI). An agreed
ROI is extremely hard to measure in
security. The old conundrum for any
security professional is that the only
real “return” is that breaches, data
losses and attacks are either stopped
or minimised sufficiently.
In a downturn, a CFO may be tempted
to reduce the security budget or
demand numerous proofs that money
invested has been worthwhile. The
CFO sense is often that the same
results may be achieved with less
Therefore the CISO needs to be
able to argue a bullet-proof case
for continued and enhanced
investment. Security bosses need
to be absolutely sure of their own
effectiveness and, further, the
efficiency of their own departments.
That way CISOs can ensure that they
know absolutely what they need
when the budgets are written.
To help, as part of its research
Ponemon has released the Security
Effectiveness Framework Tool. This is
a questionnaire tool which analyses
the organisation across six major
areas: culture, security environment,
technologies, control activities,
governance and budget.
Such an empirical measure is likely
to be highly valuable in a continuing
14 2011 | Inform – Issue 4
The Economic Climate
climate of cost savings and efficiencies
throughout different sectors. Those
working in the public sector may look
to this tool with a certain degree of
enthusiasm and interest.
However, there are likely to be on
shifts in overall IT strategies across
all sectors. Chief Information Officers
(CIOs) will be looking to adopt
further mobile working, embrace
consumerisation and Bring Your Own
Computer (BYOC) policies as well as
accelerate cloud and virtualisation
deployments. The effective thing for
any CISO to do is make sure they are
there at the start of these shifts.
Global changes mean that
organisations will be working across
borders and with new partners, most
likely in the Far East. This too will
impact on security strategies and
There are undoubtedly economic
challenges ahead but if they bring
greater discipline and a more
scientific approach to security from
the CISO community it will benefit
them and the businesses they serve
to enhance and protect.
The Security Effectiveness Framework
Study can be downloaded from:
Drivers to a good Security
1 Appointment of a CISO or organisational leader for
2 Training and awareness programs on data protection
and security for end-users.
3 An organisational culture that respects privacy
and data protection
4 Executive-level support for security
5 Strong endpoint controls.
Source: Security Effectiveness Framework Study, Ponemon Institute
Inform – Issue 4 | 2011 15
The economic outlook for 2011 and
beyond: Justin Urquhart Stewart
Justin Urquhart Stewart is a co-founder of Seven Investment Management, a
business which manages around £3 billion on behalf of professional financial wealth
managers and intermediaries. He writes regularly for national magazines and
newspapers, and is a frequent commentator on television and radio, both in the UK
and abroad. Inform got an exclusive insight into his predictions for the economic
conditions ahead and the shift in economic power across the globe.
First the good news. He is
reasonably confident that the
UK won’t fall back into recession,
thus avoiding the much talked
about ‘double-dip’ that has been
consuming commentators for the
past few months.
However, this doesn’t mean that it is
full-steam ahead. “The economy is
still pretty insipid and and is likely to
remain so. We haven’t actually had
any cuts yet, we are still going to
have some serious difficulties ahead
when they come.” he says.
He is cautious that a second
recession will only be avoided as
long as the banks return to sensible
lending again and that the spending
cuts are genuinely spread over four
years. That way we may sustain a
reasonable level of growth and a
return to confidence.
“However we do face a number of
serious headwinds in terms of the
level exports not being particularly
strong, lending still weak and
consumer confidence remaining
weak too. The continuing lack of
confidence in the housing sector is
a worry.” he says.
“We will probably still get growth
but it will be very weak for some
time to come. We won’t see any
shrinkage unless the government
was stupid enough to carry out the
cuts wholesale. Some 39 per cent
of the working population is related
to state employment. State and
private employment are intrinsically
linked – both cubs sucking off the
same she-wolf.” he says.
Those expecting a quick return
to the good times are going to be
disappointed. We are likely to be in
the doldrums for some time yet.
As Urquhart Stewart explains, the
Western economies spent 15 years
building the boom. It will take time
to restructure the debt – not just
government debt but also the
billions tied up in personal debt.
“The UK economy needs to become
less consumer dependent and move
towards a manufacturing base. We
are a nation of small businesses.
This year will see 400,000 new
businesses being set up – not all will
survive. Even fewer will survive if
we don’t have a functioning banking
sector.” he says.
Urquhart Stewart sees continuing
difficulties in the retail and housing
sectors and for any one involved with
the public sector. However those
trading with the Far East are likely
to be in a stronger position as the
oriental consumer continues to grow
in importance and buying power.
“We will see a two speed global
economy. Western nations with the
exception of Germany will remain
slow while the the Eastern nations
with the exception of Japan will be
fast. The Eastern nations, SE Asia
and the emerging economies will
grow. But they may feel the pain of a
backlash from the United States with
increasingly protectionist noises
coming from there. We need to need
to avoid protectionism because
that way leads to a 1930s style
depression.” he says.
Urquhart Stewart believes that it
is unlikely that protectionism will
rear its ugly head. More likely the
US will continue with a policy of
quantitative easing which in effect
is a devaluation of the dollar, which
could lead to some problems as it
reduces the value of US bonds –
mostly bought by the Chinese.
There is one thing of which Urquhart
Stewart is absolutely convinced and
that is the irreversible shift in global
economic power that started even
before the global slowdown. This will
affect all our businesses and trading
“Politically and economically the
power has shifted to the East. The
world will look very different in 20
years time.” he says.
16 2011 | Inform – Issue 4
Enterprises around the world are relying on virtualisation to increase datacenter efficiency and, unknowingly,
leaving themselves more vulnerable. That’s because conventional security isn’t able to protect virtual machines
or see the traffic between them — leaving data and networks exposed. Which is why, according to Gartner, Inc., in
2009 sixty percent of virtual machines were less secure than their physical counterparts. But with Trend Micro
Enterprise Security, powered by the Trend Micro Smart Protection Network infrastructure, you can mitigate
the risk and maximize the benefits of virtualissation. It’s a different kind of security that protects your physical
and virtualised environments and helps set the foundation for your company to move confidently into the cloud.
Learn how to protect your virtualised datacenter.
Download the Trend Micro eBook at www.trendmicro.co.uk/server-security
Calling all Websense Web Filter Customers
We have an incredible offer for you.
Get a Free Subscription Upgrade to Websense® Web Security*
That’s right, Websense would like to offer you a free subscription upgrade to Websense
Web Security to protect your employees from spyware, bot nets, keyloggers and more.
All you have to do is renew your subscription using the Websense V5000 appliance,
and your license upgrade is on us.
When you upgrade, you get:
• Malware security categories that protect your organisation from malicious code,
spyware, phishing sites, and more, with real-time security updates.
• Performance at a value with the Websense V5000 appliance platform to support
Websense Web security.
• Investment protection with free hardware warranty and the ability to run Websense
Web Security Gateway on your V5000 appliance for security in the social Web.
For more information about Websense Web Security, go to
* Terms and Conditions:
Free upgrade offer is available only to current Websense Web Filter customers, and applies only to upgrade to Websense Web Security for a subscription renewal period of
equal to or greater than the duration of the existing subscription agreement. The free subscription upgrade requires the purchase of a minimum of one (1) Websense V5000
appliance, as well as Premium Support for the duration of the subscription agreement. Offer cannot be combined with any other offers or promotions with the exception of the
“3 years for the price of 2” promotion. Offer may not be available in all states or regions. Some additional terms and conditions may apply subject to federal guidelines. Offer
does not have any cash value and promotion may be cancelled at any time by Websense. Shipping charges, tax and support costs are the responsibility of the buyer.
Lessons from the CISO Club
HP Information Security’s CISO Club events bring together some of the UK’s most
influential CISOs, who manage risk and security at FTSE 100 companies. Each event
allows them to brainstorm the future of business security and how it impacts on
At the most recent meeting they discussed corporate social media, consumerisation
of IT and the identity management. We present some of the findings.
The attendees of the CISO Club were
keen to discuss three top line trends
that they felt were now seriously
impacting their enterprises. Three
big issues, each one developing its
own set of challenges and search
The first of these was the seemingly
unstoppable spread of social media
into the workplace and beyond. Social
media is here to stay and it is being
used by employees for personal use
and by companies themselves keen
to exploit the marketing and PR
opportunities that applications such
as Facebook and Twitter offer.
What CISOs need to grasp is that
while today Facebook and Twitter
dominate, tomorrow it may well be
another tool with as yet unknown
functionality as well, of course,
as opportunities. That is the key
point. Forward thinking CISOs will
understand that social media and
other web 2.0 applications must be
integrated securely so that their
power can then deliver the business
the benefits that they hold.
Social media can be managed,
even encouraged and exploited as
a positive force for the business.
We are only just scratching the
surface of the power of social media.
Already, applications can include
intra-enterprise communication and
sharing all the way to interactive
customer facing tools.
It’s not just about technology and
applications. It’s also about people.
CISOs must accept the reality of
social media and the integration of
“generation Y” into the enterprise. They
must be prepared also for the next
wave of social media tools.
As a start, CISOs can take the lead in
encouraging people to communicate
via social media as long as clear rules
are incorporated into social media
policies. These policies are likely to be
fluid but most crucially employees must
be aware of the social implications of
social networking. Beginning with that
message is a great start to enlightened
and secure use of social media.
Inform - Issue 4 | 2011 19
Bring Your Own Desktop
We are entering a new era in IT with
innovation and demand being driven
by the consumer rather than the
enterprise. Companies like Apple that
were once considered peripheral to
the business market are now integral
thanks to the widespread adoption
of devices such as the iPhone and
iPad and those devices which have
imitated Apple’s products. Employees
at every level are now attracted
to buying and using mobiles and
laptops of their own choosing in the
workplace – often in addition to the
company issued device.
This can have its advantages
however for the enterprise but as
usual, challenges for the CISO. Some
companies have started to adopt the
concept of Bring Your Own Desktop
(BYOD) as a way to deal with the
ongoing consumerisation of IT.
The advantages are clear: reduced
purchasing and support costs –
employees effectively provide their
own support, happier employees. The
dangers are increased exposure to
data leakage threats and the blurring
of personal and business activities on
a number of other devices: personal
smart phone, home PC, iPad, other
people’s devices. Quite often the
same “consumer” device is used for
work and pleasure.
This is the real challenge for the CISO
and by extension, the CIO. They must
not let themselves be blinded by
simple cost savings. Consumerisation
needs careful management – off
shoring procurement and support
costs to the employee is fine as long
as the enterprise retains control
of secure working on consumer
devices. This will undoubtedly
entail technical solutions such as
sand boxing and data encryption.
Consumerisation is the biggest
practical management issue that
CISOs will face in the next decade.
Identity management challenges
The third main topic of discussion
centred on identity management
which the group decided was still
central to effective enterprise
security. If you can verify that a
person is who they say they are
you can grant access. True enough,
but CISO leaders are starting to
think beyond identity management
and into identity protection in
order to evolve advanced identity
This is a new challenge to CISOs and
brings with it some ethical and HR
related issues. Just as the enterprise
needs to monitor access does it also
have a duty to protect employee
identity from online predators
In an increasingly blurred home/
work environment, employees are
opening and closing online identities
throughout multiple environments.
The challenge then is for CISOs is to
determine where enterprise duty of
care begins and where it ends.
1 Develop social media policies that reflect
the values and purpose of your enterprise
2 Listen to and learn from your enterprise
3 Don’t try and control the method
4 Educate employees on the social
implications of social networking
5 Start developing your strategy for IT
consumerisation today – it will come to your
enterprise sooner than you think
6 Careful that cost savings of BYOD are not
outweighed by data loss costs
7 Determine where your responsibility for
employee identity lies
8 This the third age of computing, the CISO
role is about to change fundamentally
20 2011 | Inform - Issue 4
• Instantly turns any PC into
your own corporate desktop
• Provides virtual workspace
that keeps mobile data secure
• Delivers ideal solutions for
mobile workers, contractors
and disaster recovery
In your long career
researching security, what
event or technology has
had the greatest impact
This is a complex question because
enabling technologies can have
a positive and negative impact. In
terms of making the world a safer
place, I choose encryption, access
governance and SIEM technologies.
In terms of creating insecurity for
people and companies, I see portable
data-bearing devices such as USB
memory sticks, smart phones and
laptop computers as the main culprits.
Do you think that the
business world now
“gets” the importance
of information security
to its survival
I think that business leaders have come
a long way over the past decade in
terms of their general understanding
and appreciation of information
security within their enterprise. Recent
Ponemon Institute research shows that
CEOs do believe information security
and data protection initiatives are
important to maintaining a company’s
reputation and brand. However, many
C-level executives are still out-of-touch
with the realities of information security
in terms of economic impact and the
resources necessary to accomplish
its mission. They often are unaware of
how vulnerable their organisations are
to attacks against their networks.
Are we entering a new age of
security enlightenment or a
dark age of cyber warfare
This is difficult to determine. On the
one hand, most security technologies
are becoming more effective, efficient
and easier to deploy. On the other hand,
the bad guys (a.k.a. cyber criminals) are
harder to stop because of sophisticated
attack vectors and greater stealth.
While I tend to be optimistic about the
future, I do foresee the possibility of
catastrophic cyber attacks against
local, national and global critical
infrastructure in the next few years.
Have we “lost” the
battle against malware
and does it matter
There is no doubt that the malware
problem is getting worse. Our
research shows that, on average,
about five percent of all enterprise IT
endpoints are infected with malware.
To make matters worse, a sizeable
percentage of these infections
infiltrate corporate networks and
enterprise systems. Until recently,
malware was just an annoyance (not
super critical to a company’s security
posture). However, this has changed
with the advent of data-stealing
malware and relational botnets.
You helped develop the
important is effectiveness
to business security
Security effectiveness is very
important to business continuity
and success. Clearly, security
inefficiencies result in downtime, noncompliance
with regulations, opens
the door to cyber attack, causes data
leakage and a whole bunch of other
serious organisational maladies.
You’re not an advocate
of ROI in security
– why is that
I believe return on investment is a poor
metric for judging enabling security
technologies. The ROI model assumes
that a given investment maintains
a predictable or constant stream
of value over time. Unlike general IT,
the IT security ecosystem changes
very quickly in response to changing
threats, vulnerabilities and attacks.
A constantly changing attack profile
means the organization’s security
arsenal will not maintain a predictable
or constant level of value over time.
22 2011 | Inform - Issue 4
Quick Fire: Larry Ponemon Q&A
Dr. Larry Ponemon is the Chairman and Founder of the Ponemon Institute, a
leading research think tank dedicated to advancing privacy and data protection
practices. He consults with leading multinational organizations on global privacy
management programs and has extensive knowledge of regulatory frameworks
for managing privacy and data security. He also contributes to Computerworld,
CSO Magazine and other leading publications.
You’re an ex-Navy man
– are there any lessons
you learned in the Navy
that you have applied to
your academic work
proudest achievement was getting a
personal “thank you” note from the
President of the United States. •
Discipline, patience, duty and humor.
Beyond sea sickness, the Navy was
a very positive experience for me
especially with respect to developing
core research skills such as intelligence
gathering, analysis and reporting.
When not researching
security, what do you do
I enjoy life with my family, including
three lovely dogs. As an instrument
rated pilot, I enjoy flying my small
airplane (Mooney Acclaim) throughout
the United States and Canada.
I’m also an avid guitar collector
and player. I enjoy my electric
guitars most of all – including a
1972 custom Fender telecaster.
What has been your
My proudest achievement was
seeing my two sons graduate from
university. The second proudest
achievement was successfully
defending my Ph.D. dissertation. My
third proudest achievement was
passing my pilot exam. A fourth
Inform – Issue 4 | 2011 23
WHO WILL YOU TRUST TO
EMC 2 , EMC, RSA, the EMC logo, the RSA logo, and where information lives are registered trademarks or trademarks of
EMC Corporation in the United States and other countries. © Copyright 2010 EMC Corporation. All rights reserved.