Strategic Insights: Securing Information in an Unsecure World (Ottawa)
Three experts from diverse backgrounds took the stage in Ottawa recently to explore some of today’s most challenging IT security issues.
Produced by The IT Media Group, the Strategic Insights session featured Neils Johnson, Principal Technologist for event sponsor Symantec, a Vice President in charge of security for a large public corporation and another VP with security responsibility in a private firm that has very high security requirements. Names of the latter individuals have been withheld upon request. Chairing the session was John Pickett, VP, Executive Programs for The IT Media Group.
The invitation-only breakfast event for IT executive peers drew an audience of high-ranking executives from government, academia and the private sector.
Key topics included: patch management and automation; dealing with the board; role-based access and data classification; phishing attacks and user awareness; communicating the security message; challenges with BYOD; and incident response approaches.
The event was quite topical and included a discussion of a recent IT-enabled bank heist. Said Johnson, “Occasionally, we leave our environments somewhat exploitable. This is a wake-up call to say, ‘Hey, what’s really important and what’s not?’ There’s some basic hygiene that needs to occur on a day-to-day basis that we sometimes take for granted. Eighty percent of the security breaches going on right now would be resolved if the patch levels were where they’re supposed to be.”
An example was given of a company that has implemented a new patching strategy. Formerly, patching happened in random ways through multiple groups; IT relied on the lines of business to know what had to be done. A governance committee was formed to follow through and track those patch-management cycles. A key challenge was to ensure that the business was committed to the patching strategy, rather than having the option of saying no. To resolve the challenge, senior executives had to get involved and support a policy that required patches to happen every quarter. With this kind of regularity now built into patch management, the business is responding and beginning to plan accordingly.
Johnson added that it’s not about speeds and feeds and bells and whistles. “When it comes to patch management, who cares how fast your technology runs? Today, it’s more about the knowledge component, the information that the technology has sitting behind it, so that it knows what to look for. Does our technology know how to resolve the disparities between what’s happening in the threat landscape and what’s happening internally?”
CHALLENGES WITH BYOD:
BYOD is another area that is posing security challenges for organizations. Johnson noted that there are technologies in place that will allow that to happen. “Users expect to get their calendar, their email, their internal messaging, and whatever else is on the professional side, but at the same time, they don’t want IT touching their personal stuff,” he said. “And there is container technology in place to drive both of those requirements, the professional and the personal, off the same platform, while enabling IT to impose policy.”
One speaker indicated that his organization has decided not to try to manage the device, instead opting for a formal BYOD program along the lines mentioned by Johnson. The organization allows very little communication between the container on the mobile device and what’s happening in the users’ personal lives. What’s important is containing and protecting the corporate data. If a wipe is required, it’s a wipe of the corporate data only.
Another key topic was Cloud-related security and the yin and yang pull between trust and control. How much is the IT organization willing to trust that Cloud providers have the proper maturity in place to provide the security services that the IT org would typically provide? Part of this discussion was around putting policies in place to deal with shadow IT being introduced throughout the organization’s infrastructure.
RESPONDING TO THE BOARD:
An audience member noted that many CIOs are getting demand from their Boards to enlighten them around how their organizations are positioned against the kind of corporate attacks they hear about in the media. How do you pull them off the ceiling and tell them that it’s okay?
“The topic of that conversation is risk tolerance. It’s acknowledging the fact that no environment is going to be completely risk free,” replied Johnson. “The real question is: where do I put my security energies, dollars, resources? There are some crown jewels around which your business is built, and they absolutely have to be secure. So it’s critical to have a conversation with the Board about risk tolerance: what is important and what’s not? And where do we put our dollars to be sure the really important stuff is indeed secured?”
PHISHING ATTACKS AND USER AWARENESS:
One expert noted that his organization does four or five phishing exercises a year in order to get employees to recognize them. The approach has been very successful. Users have stopped clicking those links. People are getting much smarter, and it is resulting in clear ROI, which is difficult to demonstrate in security. The organization is now in a position to say, “This is having an effect. This is worth the money.”
Awareness is critical for everyone who is upstream from IT, said Johnson, but people bring with them three strikes: they’re inefficient, ineffective and error-prone. As a result, for everyone who is downstream from IT the solution is automation, he said. You need to do whatever you can to eliminate people from the decision-making processes around clicking on that link, downloading a particular app, or launching something. If you can impose policy, along with some automation, to eliminate that decision-making process from the people downstream from IT, security is well served.
Session Highlights Videos
Data classification is an important step in determining where and what type of protection is needed as well as enabling the automation of many security tasks.
Management of basic security hygiene tasks such as patches requires commitment and organization.
Post session interviews
Tom Bornais, Director, Information Security, NAV Canada
Marc Stackhouse, Corporate Manager, IT at Defence Construction Canada
Neils Johnson, Principal Technologist, Symantec Corp. - The Challenge for IT
Neils Johnson, Principal Technologist, Symantec Corp. - The Evolving Threat Landscape
About CIO Strategic Insights Breakfasts
These sessions, produced by The IT Media Group, follow the form of a talk show in which The IT Media Group's VP of Executive Programs interviews subject-matter expert 'guests'. These highly-interactive sessions also engage attendees through questions and discussion with the panel members. Strategic Insights breakfasts are designed for small groups of IT leaders to gain new perspectives on common issues and to network with peers.
IT executives interested receiving notification of upcoming events produced by The IT Media Group, please complete the VIP membership form, including business email address.