12
Business white paper Risks, trends, and disrupters CISOs most adaptable to change will survive

Risks, Trends & Disrupters

Embed Size (px)

DESCRIPTION

We all know the headlines: One week, it’s a string of major retailers in the U.S. Another week, it’s a healthcare provider that has lost control of patient records. Then there’s the breach of a major technology company. Over recent years, it’s hard to think of an industry that hasn’t had a significant compromise in security. Hardly a week goes by without a data security episode. In this HP report based on extensive interviews with experienced CISOs, we explain why it takes intelligent insight into the capabilities of your adversaries and vulnerabilities — as well as having the right response capabilities in place — to succeed in securing your enterprise.

Citation preview

Page 1: Risks, Trends & Disrupters

Business white paper

Risks, trends, and disrupters CISOs most adaptable to change will survive

Page 2: Risks, Trends & Disrupters

Table of contents

3 Major trends driving security change

5 Securing a business under constant disruption

6 Shift in risk management required

8 Agility to adapt informed thinking: Need for intelligent security

10 Acknowledgements

Business white paper | Risks, trends, and disrupters

Page 3: Risks, Trends & Disrupters

1

Business white paper | Risks, trends, and disrupters

Chief information security officers (CISOs) today face formidable disruption—technical, business, adversarial, and regulatory. The best way to succeed is to constantly assess where your enterprise stands and adapt intelligently. This requires a comprehensive view of risk that is able to adjust as business conditions, threats, and vulnerabilities change.

Information security managers are accustomed to business disruption: the shift from the age of the mainframe to the PC in the 1980s, the rise of the Internet in the 1990s, the complexities of securing web applications, and eCommerce transactions in the 2000s. Those who have been practicing security for a while recognize that we’re in another period of great disruption, driven by the democratizing of data through cloud and mobile computing and the accelerating rate of globalized commerce.

Each of these disruptions has brought tremendous opportunity. Sometimes, it’s an opportunity to increase productivity or to reap cost reduction, such as with the advent of the PC and today’s mobility and social networks. Or it could be the business opportunity to seize new markets and sales challenges, such as with the Internet and eCommerce. Other times, it’s the opportunity to attain all three: productivity, cost containment, and creating new business models, such as is the case with cloud computing.

To be sure, each of these disruptions also brought increased risk. We’re certainly seeing that today, so much so in fact that it might be hard to ask one to remain positive about the state of IT security. As you know, breaches are on the rise, and so are the costs associated with them. In 2013, the number of data breaches soared by 30% over the year before. And while attackers are getting more advanced in their craft, it seems that enterprises too often still have trouble managing the basics. One example: our most recent HP Cyber risk report found that upward of 80% of applications are vulnerable to compromise due to avoidable misconfigurations. This begs the question: What must most organizations do so that they can safely and confidently embrace new opportunities as they present themselves?

And let’s face it, there is much to be done. It’s been reported that the breach of a major U.S. consumer goods and grocery retailer was the result of a subcontractor that was compromised. That subcontractor’s credentials were reportedly used to access the retailer’s network. Whatever the final analysis shows, we know now that 110 million, or more, customers were involved. The lawsuits are already under way, and the cost will reach tens of millions of dollars. Also, lawmakers in the United States are considering new data breach disclosure laws and more stringent payment card security mandates.

Top security management keys to success

• Ensure that security objectives are aligned with key business objectives

• Classify the data and systems that matter most to the business

• Gather threat intelligence regarding the adversaries most likely to attack your enterprise

• Measure the effectiveness of the controls in place to protect those data

• Optimize and monitor key security metrics that could affect risk, good or bad

• Improve any security controls that need to be improved

Source: HP

Page 4: Risks, Trends & Disrupters

2

It’s easy to cast blame on those breached enterprises—too easy, in fact. The reality is that effective IT security is incredibly difficult. The modern CISO is grappling with ever-increasing technological and business demands, pressure to reduce costs, constantly changing technologies, higher dependence on third-party partners, and application security weaknesses. And users demand to use the latest and (maybe not, when it comes to security) greatest consumer devices. There also are growing—in complexity and numbers—cyber security-related regulations, and the increasingly motivated, knowledgeable, and evolving adversaries that seek to steal or disrupt access to data.

Business white paper | Risks, trends, and disrupters

Chart 1. Risky business

Source: Economist Intelligence Unit survey, August 2013.

What are the sources of risk to your organization’s information?(% of respondents)

36% 35%

28%26% 26%

22%

8%

5% 5%

2%

Empl

oyee

care

less

ness

Crim

inal

the

ft o

fin

form

atio

n fo

rfi

nanc

ial g

ain

(tha

t is

, hac

king

)

Mal

icio

us d

estr

ucti

onor

leak

ing

of s

ensi

tive

data

(tha

t is

, by

disg

runt

led

empl

oyee

s

Tech

nolo

gyfa

ilure

Empl

oyee

tur

nove

r(t

hat

is, c

ompe

tito

rpo

achi

ng o

f tal

ent)

Corr

upti

on o

rda

mag

e to

dat

a

Supp

lier c

arel

essn

ess

wit

h ou

r dat

a

Stat

e-sp

onso

red

cybe

r att

acks

Nat

ural

dis

aste

r(t

hat

is, fi

re o

r floo

d)

Oth

er

Top three risks by job title or function (selected)CEOs1. Technology failure2. Employee carelessness3. Employee turnover

Risk function1. Criminal theft of information for financial gain2. Malicious destruction or leaking of sensitive data3. Technology failure

IT function1. Criminal theft of information for financial gain2. Malicious destruction or leaking of sensitive data3. Employee carelessness

Top three risks by regionNorth America1. Criminal theft of information for financial gain2. Employee carelessness3. Corruption or damage to data

Asia-Pacific1. Employee carelessness2. Criminal theft of information for financial gain3. Malicious destruction or leaking of sensitive data

EMEA1. Employee carelessness2. Criminal theft of information for financial gain3. Employee turnover

Page 5: Risks, Trends & Disrupters

3

“To be successful, enterprises need to not only get a better understanding of the risks that they face, but also be able to see and mitigate attacks as they are in progress,” says Brett Wahlin, vice president and chief information security officer at HP. “It’s about having the agility to quickly adjust as your technology, business demands, and adversaries change.”

To paraphrase the English naturalist Charles Darwin, it’s not the strongest of the species that survives, or the most intelligent; it’s the one that is most adaptable to change. The same is true, to a large degree, for today’s CISOs.

Let’s take a quick look at the threats and the business disrupters that the successful CISO needs to be ready to adapt to not only survive but also thrive in the years ahead.

Major trends driving security change

Business-technology trends Business and technology disrupters accelerate in 2014 and beyond—cloud, mobile, the connected worker, and APIs are making more devices accessible over the Internet. The result is that the business-technology environment will continue to change rapidly.

These trends are all tightly intertwined. As enterprises embrace public, private, and hybrid cloud architectures, corporate information is flowing at an unprecedented rate that makes it widely and conveniently accessible—but also is placing it at risk. Too often, enterprises are unaware where their critical data resides and if they’re adequately secured and compliant with industry and government regulations.

Just as cloud computing is transforming the enterprise, it’s also transforming how workers choose the business-technology services they’ll use. Rather than wait for IT to deploy the storage they need, they’ll turn to Dropbox. Rather than wait for the IT team to build a new collaborative system, they’ll look for something reasonably priced and have the service turned on that day. This, too, dramatically changes organizational risk.

Businesses also are being asked to compete in more markets, have more devices and services, and more communications with customers and partners. This entails more competition and more global risk. Just as IT security protects these technologies, it’s also protecting the business strategy behind the deployment of these technologies.

Threat and risk trends Attackers are getting more creative at finding weaknesses in the defenses to exploit, such as the BlackPOS RAM scraper (or a close variant employed in the recent retail attacks) that is able to capture the credit card data the moment it is sent in clear text.

The costs of breaches to organizations, and their frequency, also are rising. Too many are caused by enterprise missteps. We are all familiar with security vulnerabilities as a result of coding flaws, but assessments of 2,200 applications performed by HP Fortify on Demand, using static and dynamic security analysis techniques, found that many vulnerabilities are created by configuration mistakes. These include server misconfiguration, improper file settings, sample content, outdated software versions, and other items related to insecure deployment.

Mobile computing still remains a serious risk. When 180 iOS and Android applications were evaluated by Fortify on Demand, improper use of encryption was one of the top client-side issues uncovered. As the lines are blurred between mobile and more traditional desktops and notebooks, it’s important to find ways to defend enterprise data to keep them at least the same levels.

These threats and business trends dramatically change information risks and how CISOs must manage that risk. They also enable enterprises to compete more effectively and introduce new business models while doing so at acceptable risk levels.

Business white paper | Risks, trends, and disrupters

Threat statistics

• While we often hear about vulnerabilities that arise due to bugs in an application’s code, 80% of applications contain vulnerabilities exposed by incorrect configuration.

• Forty-six percent of mobile iOS and Android applications use encryption improperly.

• Sandbox bypass vulnerabilities are the #1 issue for Java.

• Supervisory control and data acquisition (SCADA) systems have become increasingly tempting as targets.

Source: HP 2013 Cyber Risk Report

Page 6: Risks, Trends & Disrupters

4

Business white paper | Risks, trends, and disrupters

Chart 2. Need to know basis

To what extent are the concepts of information risk, and its management, known in your organization?(% of respondents )

Not at all 1%

To a limited extent 29%

42% Partially

27% Extensively

Finance 48%

Operations andproduction 34%

IT 28%

R&D 19%

Marketing 16%

Sales 15%

Humanresources 9%

Legal 6%

In which part of the organization is familiaritywith information risk practices the greatest?    (% of respondents )

Patents, copyright, andindustrial design 39%

Market/industryanalysis 34%

Software programs 33%

Corporate financialinformation 32%

Customer’s personal data 28%

Business processes(documentation) 27%

Analysis of customerbehavior/preferences 22%

Competitive intelligence 22%

What are the biggest barriers to raising the status of information risk as a business priority at your organization?    (% of respondents )

Source: Economist Intelligence Unit survey, August 2013.

Page 7: Risks, Trends & Disrupters

5

Securing a business under constant disruption

As we’ve established, business today is moving at lightning speed and facing multiple disrupters in business models and technologies, as well as regulatory and adversarial threats. This is creating risk and opportunity for the CISO to enable the business to succeed in a way that customers, shareholders, and partners trust.

Nigel Burnford, practice principal within the CTO office at Hewlett-Packard Enterprise Security, recalls that a large educational publisher in the UK encountered challenges when facing a new digital age of disruptive content distribution. From a business perspective, like many enterprises now, the publisher was grappling with ways to move away from direct, in person, physical book sales that involved a lot of salespeople—and instead provide its entire publishing catalog online for direct sales to parents, teachers, and students.

“You suddenly realize that all of these people have access to all of your valuable assets, and that intellectual property needs to be protected,” says Burnford. “It’s not just a question of selling it to them in a different way. All of a sudden, you’ve got to protect all this stuff—all of your intellectual property sitting there, available to anybody who wants it.”

It’s not just media that are being disrupted. We tend to think of the Internet disrupting the motion picture, music, book, and news media—perhaps because those industries are most visible to us. But the fact remains that barely any industry is going unscathed. The Internet, cloud, APIs unleashing software access on virtually all devices, and social networking are all transforming nearly every industry in the way they produce goods, deliver them to market, or interact with customers and their target markets.

The insurance industry experienced a similar transition. In the past, traditional insurance companies did all of their work through agents. Then suddenly, a few of those insurance companies began conducting direct interactions with their customers, and this has turned over the whole insurance industry business model.

It also had a dramatic impact on the ways they approach security because now they have to ensure that all of these services, software, and data that are exposed over the Internet are secured.

Andreas Wuchner, practice principal FSI EMEA at HP Enterprise Security Services, explains how the regulatory environment also is creating increased risks for businesses around the globe. For instance, the European Commission is proposing significant reform of the EU’s 1995 data protection directive, both to improve privacy for its citizenry and to better enable Europe’s digital economy. In the U.S., recent credit card breaches have brought about calls to move the Payment Card Industry Data Security Standard from industry to government regulation, as well as for a national data breach disclosure law.

“The scrutiny of regulatory bodies, no matter the specific industry you’re in or where you are located, is something that is going to increase,” says Christopher Leach, practice principal, healthcare science Americas at HP Enterprise Security. “In the face of all of these changes, you’re still dealing with the business side. You are still grappling with the attacks that are occurring, but you have the regulations and the business enablement that you need to deal with at the same time.”

Business white paper | Risks, trends, and disrupters

CISOs: Keys to business alignment

• Identify objectives key to the organization

• Establish trust with key executives

• Create an environment of secure enablement, rather than security through inhibiting use of new technologies

• Measure effectiveness of security controls and communicate value of security program to business leadership

Source: HP

Page 8: Risks, Trends & Disrupters

6

The challenge for many organizations is that they remain entrenched in their old ways of managing risk—reactive firefights, throwing technology at process problems, and combating the trendiest threats rather than those that pose the greatest risk. The good news is that that’s starting to change.

“Organizations are beginning to recognize that they need to do something different,” says Burnford. “Some of our conversations with larger organizations indicate that they are starting to think more proactively about the nature of the problem, being able to size it, and manage it more effectively. It’s as much about people, process, and procedures as it is about technology.”

And to succeed, even thrive, CISOs need to do exactly that—adapt to the challenge as business conditions, regulations, and adversaries change.

Shift in risk management required

This requires not only a shift in how risk is managed but also a shift in the very role of the CISO. That shift is already under way. The role of the CISO is morphing from a highly technical position to more organizational risk management.

For instance, in CSO Magazine’s most recent State of the CSO Survey, 74% of the security decision-makers interviewed experienced an increase in the amount of time spent advising senior executives and business leaders, and 79% of them expect that time to increase even more in the years ahead.

“The CISO is now taking a path similar to that of the CIO in the 1990s, which was a transition from bits and bytes to dollars and cents,” says Burnford. “The time has come to stop throwing technology at problems: It’s beyond just technology now. It’s actually trying to understand why something is more risky than something else, and what you can do to control that risk—and then educate the executives about their risk management and security options.”

Business white paper | Risks, trends, and disrupters

Increased collaborationwith third parties

Outsourcing

Rise of “big data”

Cloud computing

“Consummerization”or “BYOD”

Social media

Remote working/teleworking

Shared computing (WiFihotspots/Internet cafes)

Other

33%

32%

26%

24%

21%

16%

13%

13%

1%

What business or technology trends are increasing the risk to your organization’s information?(% of all respondents )

Source: Economist Intelligence Unit survey, August 2013.

Chart 3. Shared drive

Page 9: Risks, Trends & Disrupters

7

One fundamental prerequisite to doing that is an enterprise-wide view of risk. The CISO needs to be able to look across the organization and understand where its critical data is stored, how it’s being used, the threats it faces, and how effectively and efficiently the security controls already in place can control them.

This is an area where many organizations are nowhere near where they need to be, according to a recent survey conducted by The Economist Intelligence Unit on behalf of HP. The survey, “Information risk managing digital assets in a new technology landscape,” found that only one in three CEOs believe that their companies has a single view of information risk across its enterprise.

Considering the amount of technological disruption that enterprises have faced in recent years, it’s no surprise that visibility is so low. Employees and executives alike are bringing their own devices into the enterprise. They’re choosing the cloud services they want to use, either on a small department level or individually. And enterprise data are whirling from the on-premise data center to the private cloud and out to various public cloud services and back.

Still, to properly protect data, CISOs need to know which data are business-critical, and where the data reside and are being accessed. Today, that could be anywhere on premise, in any number of virtualized machines, or on a cloud service, and accessed from any number of devices.

The quintessential examples are the ways that cloud services and mobile devices stormed the enterprise, says Wuchner. Many CISOs, rather than striving to adapt to the changing technology trends, fought the momentum by attempting to ban devices and some cloud services—and found themselves on the losing end of the fight.

“They lost because the workers and the executives just found ways around the bans and the controls. This, in turn, lowered visibility and increased risk as the security of the data went ignored,” Wuchner explains.

What forward-thinking enterprises did was find ways to make it happen, securely. Suddenly, the CISO was an enabler who was able to make things the business desired happen with acceptable risks. “You see the attitude of the organization change, and it’s much more willing to seek the counsel of the IT security office,” Wuchner says.

These efforts work to build trust with the business and to maintain an ongoing relationship. “Building a relationship based on trust is critical,” says Leach. “You demonstrate that you’re not there to impede the work of the business but to help officials decide what risks they can accept. The role of the CISO is to point out the pros and cons so executives and business leadership can weigh the business risk. Then, at the end of the day, the business can make the proper decisions regarding risk. You have to understand what the business is trying to achieve if you are to put controls in place to protect it. Without knowing what the business wants, CISOs too often put in some form of control—and the business simply created an ad hoc approach to bypass it.”

That’s a simplistic example, to be sure. But the same holds true for cloud services, new business initiatives, new application rollouts, and even when the business enters entirely new markets or industries. You need to enable them securely.

In the face of considerable disruption—technical, business, adversarial, and regulatory—the best way to stay ahead is to constantly assess where your enterprise stands and adjust appropriately. To manage disruptive risk, you are going to need to review your environment regularly. Are the assumptions that were made six months ago still valid? If they are, great; if they’re not, then there is certain work that you are going to need to do.

That requires insight and intelligence.

Business white paper | Risks, trends, and disrupters

Page 10: Risks, Trends & Disrupters

8

Agility to adapt informed thinking: Need for intelligent security

To obtain that intelligence today, security officers need insight into what is happening throughout the enterprise, into ever-changing industry and government regulations, and into the differing tactics employed by potential attackers. This requires the ability to monitor the threat landscape globally, as well as be able to monitor security events as they happen within the enterprise—whether within on-premise systems or those in the cloud.

This requires an integrated, comprehensive view of risk that is able to change as business conditions, threats, and vulnerabilities change. In this way, not only are attacks defended against, disrupted, and managed, but the business can move forward confidently. It’s clear that the one-sized security event and log-monitoring approaches of the past no longer suffice.

This is where security metrics will help a great deal. Security metrics aim to inform you if your business objectives are at risk, and can relate to threats, vulnerabilities, and associated risks that could affect the IT assets and data that are critical to your business.

By measuring threats and vulnerabilities, one can maintain a diligent view on potential risks and better ensure they don’t become actual risks with negative business impact. Security metrics are another way to be effective and efficient at mitigating risk and communicate important information to business stakeholders, such as what threats and vulnerabilities matter most to the business.

Whalin says: “The model for metrics is progressing. At one time, we judged the effectiveness of IT security solely through its ability to stop something nasty from happening. Now, it’s more about using metrics to have the business-focused risk discussion so that the executives understand the actual implications of certain decisions.”

Additionally, CISOs can make quicker and more precise decisions by using the right technologies and services, such as intrusion detection and prevention systems, log monitoring, security information, and event monitoring on the systems and the information that matter. Then, the right technologies used in the right ways can block attacks at the hardware and application layers and identify those that do slip through for rapid remediation.

When done right, cyber security is a winnable fight. By keeping security objectives aligned with business objectives, focusing on the data and the systems that matter and continuously measuring and optimizing, the agile CISO can adapt to business changes or adversaries that come their way.

Business white paper | Risks, trends, and disrupters

Page 11: Risks, Trends & Disrupters

9

With 5,000 security specialists with previous industry, law enforcement, and military experience, HP helps organizations to ensure the security of their mission-critical data and business processes. With eight security operations centers located around the world, HP helps to disrupt the adversary, manage risk, and extend your capabilities so that you can better protect your organization.

HP security professionals are ready to work with you to respond quickly and effectively to attacks that threaten your organization, your reputation, and your brand.

Learn more at hp.com/enterprise/security

Business white paper | Risks, trends, and disrupters

Page 12: Risks, Trends & Disrupters

Rate this documentShare with colleagues

Sign up for updates hp.com/go/getupdated

Acknowledgements

Contributors to this report include expert commentary form Brett Wahlin, vice president and chief information security officer at HP; Christopher Leach, practice principal, healthcare science Americas; Andreas Wuchner, practice principal financial services industry at HP; and Nigel Burnford, practice principal within the CTO office at Hewlett-Packard Enterprise Security. Many thanks for their commentary, feedback, and insight.

Business white paper | Risks, trends, and disrupters

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

4AA5-3596ENW, July 2014