IBM builds risk-aware culture with 10 essential controls
By Khoo Boo Leong 25-Jul-2012
An increasingly mobile workforce demanding anytime, anywhere access from any device to corporate systems and lines of business adopting cloud services increase the vulnerability of an enterprise network drastically.
10 essential controls for in-depth security
1. Build a risk-aware cultureEstablish policies and systems to measure the effectiveness of controls while helping end users understand their roles and responsibilities in maintaining a secure environment.
2. Manage incidents intelligentlyDevelop a team of people that can respond quickly and identify and do the forensics when an incident occurs.
3. Enable a secure mobile workplaceLock down laptops and other mobile devices and ensure end users understand acceptable use policies.
4. Build secure systems and applicationsBuild security into the development process instead of thinking about security after the fact.
5. Automate day-to-day operations for securityAutomate patching and use up-to-date software.
6. Control network accessImplement the right network security controls with visibility of network traffic.
7. Secure the cloud environment
8. Manage security and complianceThink about supply chain partners and develop requirements that partners have to adhere to.
9. Protect privacy and secure dataManage structured and unstructured data, encrypt them, monitor them and classify them.
10. Manage digital identities
To make matters worse, "over the past 8 or so years during the recession, there was an 80% decrease in the amount of funding for security technology amongst the venture capitalist community," said Kristin Lovejoy, the vice president of IT Risk and chief security officer at IBM. "There has been less innovation during this period to deal with [emerging threats such as hacktivism and advanced persistent threats (APTs)]. The APTs are what keeps me up at night."
So, as organizations strive to reduce costs and increase efficiencies, the risk of skipping over steps due to inadequate resources increases. "We estimate that between 80% and 90% of all sophisticated attacks could have been prevented through simple controls," said Lovejoy.
Despite worries about hacktivists and APTs, the reality is that "99.9% of the incidents involve the [end user] as the inadvertent actor," added Lovejoy. "The irony is that hardware and software are more secure than ever before. The problem is that the systems are now in the hands of the end users. You've got mobile devices and cloud images that are being made available to more people. These are being used by cybercriminals to get inside the organization."
IBM is certainly a giant target with an attack surface spanning "250,000 applications running on about 800,000 IT assets; 250,000 network assets and more than 2 million laptops and another several hundred thousand mobile devices," said Lovejoy. "We change about 4 million user names and passwords daily and expire about 40,000 patches a day."
To help senior executives at IBM understand what is required to balance security or business transformation risks and business innovation, Lovejoy created a list of 10 basic but essential controls for providing in-depth security.
"We have to better understand the DNA of our business, the risks associated with it and implement the appropriate security controls that make sense for the business," said Lovejoy. "More focus on the concept of risk management, risk management processes and tools will help people to prioritize what they're doing."
In securing cloud environments, Lovejoy believes the security issues lie with the way cloud images are managed. "Think of the cloud as having two layers," she said. "There is the infrastructure under the hypervisor that the cloud is built on and there are the cloud images above the hypervisor. People are buying the cloud services or images."
While the cloud beneath the hypervisors and the image, by default, are generally secure, the cloud services are another matter, especially when a line of business, instead of IT, owns and manages the image. The marketing group, for instance, may experience an attack within minutes of spinning up an image running risky customer data analytics.
Rights and responsibilities
"[With cloud security], do not just simply think about the above-the-hypervisor security tools," said Lovejoy. "Mandatory education for the people who are consuming the cloud is also critically important."
The best approach to ensure end users play their part in a risk-aware culture is "to bind security education with the benefit, such as the user's right to use social media or to bring one's own device," said Lovejoy.
"The takeaway is if you want to get into the heads of your audience, educate them on their rights and their responsibilities. You will get better overall adoption and more thoughtfulness from the end user." Indeed, IBM has instilled high user awareness of cyber security risks with surprising results. The company has one of the lowest adoption rates of social media and bring-your-own-device in the industry.