5 Ways InfoSec Adds Value

November 28, 2016

Effective information and operations security is essential for all global financial services enterprises.

Even so, in my workplace it seems like we rarely summarize ways that it delivers value in that arena.

Last week Identity Solutions Strategist at Micro Focus, Travis Greene shared his list:

#1 IT security saves money
#2 IT security retains customers
#3 IT security improves productivity
#4 IT security will help you keep your job
#5 IT security is ethical

Take a look at the full article to see why he poses these assertions.


Five Reasons to be Thankful for IT Security
By Travis Greene


DataLoss Eye Candy – Enhance Your Message

October 31, 2016

It is still important to deliver messages that influence…

Good visuals have a way of imprinting, and of adding context that sticks with a good argument.

A collection of researchers, along with some design & coding help just released an update to their “World’s Biggest Data Breaches” graphic.  It uses color, size, location along a timeline, and additional interactive data to document selected data loss greater than 30,000 records between 2004 and October 2016.

It seems like one of those resources that will be useful in a number of contexts.  [For example: Have you ever been asked “Why do I have to change my password — again…?  — One answer: Because in a world where humans too often reuse passwords across systems, passwords are no longer ‘durable.’  Look at this illustration to see how many have been stolen over the last decade…]

Use it to help goose up your risk management stories:

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks .


“World’s Biggest Data Breaches — Selected losses greater than 30,000 records.”
(updated 15th Oct 2016 Version 1.095)
Research: Miriam Quick, Ella Hollowood, Christian Miles, Dan Hampson; Design & concept: David McCandless; Code: Tom Evans.

A static version from early 2015: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-static/

Sour Economy-Staff Reductions-Increased Risk

February 1, 2009

Several surveys and reports recently have documented and argued that our historical risk management behaviors do not position us well to deal with the threats represented by trusted insiders during periods of heightened organizational strain and staff reductions.  As expected, a subset of our engineers, marketers, system administrators, database analysts, server and network security engineers will steal what they can in order to position themselves for a softer landing when (if) they are told they no longer work for the corporation.  Most corporations have chosen, consciously or not, to forgo investing in the types of controls, monitoring, alarming, and reporting that would help resist the threats posed by this population.

McAfee Commissioned Professors Karthik Kannan, Jacquelyn Rees, and Eugene H. Spafford, from Purdue University and the Center for Education and Research in Information Assurance and Security (CERIAS) to analyze and report on data gathered by international research firm Vanson Bourne who surveyed more than 1,000 senior IT decision makers in the U.S., U.K., Japan, China, India, Brazil and the Middle East.  Their report, “Unsecured Economies: Protecting Vital Information — The first global study highlighting the vulnerability of the world’s intellectual property and sensitive information.”

Spafford’s summary of the report’s conclusions is that “The combination of economic pressures, weak efforts at law enforcement, international differences in perceptions of privacy and security, and the continuing challenges of providing secured computing are combining to place vast amounts of valuable intellectual property (IP) at risk.” The report also estimates that “intellectual property worth billions of dollars (US) was stolen or damaged last year, and we can only expect the losses to increase.”

He goes on to outline five key conclusions the authors drew from the data:

  • The recession will put intellectual property at risk.
  • There is considerable international variation in the commitment (management and resources) to protect cyber.
  • Intellectual property is now an “international currency” that is as much a target as actual currency.
  • Employees steal intellectual property for financial gain and competitive advantage.
  • Geopolitical aspects present differing risk profiles for information stored “offshore” from “home” countries.

Everyone in the information security / risk management business should read this 36-page report.  It includes summary case studies, recommendations, and supporting text that should help frame the issues and their priority for executives who need to continue making decisions about when they are willing to tempt finantial or brand catastrophy.

Not too long ago, Cyber-Ark published a report claiming that “88 percent of IT administrators admitted they would take corporate secrets” if they were suddenly dismissed.  The details were less sensational, but that report included many of the warnings carefully outlined in the paper identified above.

In a period when our companies are eliminating staff, we should remember to exhibit risk-appropriate caution, and plan carefully for each instance of releasing members of our workforces who have access to credentials or bulk sensitive information.  Dealing with the subset of this population who may react to learning of their dismissal by stealing sensitive data (or otherwise abusing their permissions) is not a new problem.  The magnitude of the risk may, though, be enhanced in any extended period of economic downturn or contraction in the financial services marketplace.

— References —

Dr. Karthik Kannan: http://www.krannert.purdue.edu/faculty/kkarthik/home.asp

Dr. Jacquelyn Rees: http://www.mgmt.purdue.edu/faculty/rees/home.asp

Dr. Eugene H. Spafford: http://spaf.cerias.purdue.edu/ and http://www.cs.purdue.edu/people/faculty/spaf/

“Unsecured Economies: Protecting Vital Information — The first global study highlighting the vulnerability of the world’s intellectual property and sensitive information.” (36 pages): http://resources.mcafee.com/content/NAUnsecuredEconomiesReport

Dr. E.H. Spafford’s summary of the report’s conclusions: http://www.cerias.purdue.edu/site/blog/post/unsecured_economies_and_overly_secured_reports/

Cyber-Arc report: http://www.cyber-ark.com/news-events/pr_20080827.asp

%d bloggers like this: