Is Cyber Security the next Y2K?

| 1 Comment | No TrackBacks
In the Chief Executive.net CEO Briefing article, "WikiLeaks' Next Target: CEOs", it seems to me that Wikileaks' founder Julian Assange will make good on his vow to go after big business and to release confidential information concerning the nation's largest private companies.  The most severe threat to any organization whether it is the State Department, Department of Defense, or a large U.S. Bank or other major publicly traded company is the insider threat.

I spoke with Chrisan Herrod, our security expert, to get her view on how this will impact security policy in global enterprises. This is what Chrisan had to say:

"Wikileaks has made it completely obvious that information security breaches represent a significant risk to the enterprise and that an air tight cyber security strategy is not an option, it is a must. The question then becomes how best to counter the threat without damaging the mission of your business.

  1. CEO's should take notice now of what is happening within the US government and take extraordinary measures to protect their corporate information.  IT and the Business should focus on the principles of alignment offered by Business Service Management. Business leaders and Information Security personnel have much that they can do, and should do to be as proactive as possible.
  2. First and foremost make Information Security a top priority for your company.  If you do not have a Chief Information Security Officer (CISO) hire one and place the individual outside of IT in a role that is visibly important to the entire company. 
  3. Stand firmly behind your Corporate policies and enforce them through the best education, training, and awareness that you can afford for your employees.
  4. Adopt a culture of risk management and form an IT Risk Management group that reports to the Audit Committee of the Board of Directors. 
  5. Do not buy technologies to solve your problem, rather adopt technology that will enable your company to do a better job of ensuring who has access to information and systems and require business units to monthly validate an individual's need for access. 
  6. Finally, use technology in conjunction with improved access management processes, compliance to corporate policies and increased awareness of the risks to your company should information be leaked that could be damaging to you personally or your company as a whole.
I agree with the government's increased emphasis on improving access management and my reasoning is supported by survey data released earlier this year by the Ponemon Institute.  In their survey, sponsored by CA, they revealed that rank-and-file employees were much more likely than executives to see the necessity of certain enabling technologies to reduce or mitigate security risks within their organizations, and the technology with the widest difference: identity and access management systems.
 
If Identity and access management systems and processes are not in place, it places the corporation in a higher risk category.  And even if they are in place, they must be continuously monitored.  That is why it is so important not to invest in technology alone, but to invest in sound processes based on enforceable and monitored policies.

So by all means take to heart the issue of access management and address it first and foremost, but also ensure that you are taking Information Security and Risk Management seriously as part of your Business Service Management strategy in a high threat environment."

No TrackBacks

TrackBack URL: http://www.bsmreview.com/cgi-bin/mt/mt-t.cgi/111

1 Comment

Rick & Chrisan, I'm in complete, 100% support of your emphasis on access management for protection of corporate (business) information and assets. It's like reiterating IT threat reduction 101 and is basic to any feeling of control given the breadth of vulnerability.

However, the discussion of data protection by means beyond access control seems a fundamental as well. We can get better and better at controlling who has access, but we need to move to a level of distinguishing data that could jeopardize our corporate existence, data that might be embarrassing, and data that is okay for public distribution. There should be multiple levels of protection for data that is detrimental to business survival ...or innocent lives as is the case in the Wilileaks scenario.

Data privileges are but one example of security processes that need to be in place in addition to access control. But a fundamental assumption you make in posting this comment is spot on ...and that is that business is/will be jeopardized by inappropriate attacks ...and IT needs to demonstrate what they are doing to minimize the impact of those attacks.

Leave a comment

   

Type the characters you see in the picture above.

About this Entry

This page contains a single entry by Rick Berzle published on December 2, 2010 5:48 PM.

Leveraging 'agile' for business alignment was the previous entry in this blog.

BSM Definition is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Pages