• Harder Than it Looks. Risk assessment would seem like a basic element of running the Security function. However, few members are satisfied with their processes. Indeed, from our perspective in talking to members, there is a wide gap-not just incremental improvement-between standard practice and that of the most progressive members.
• Disparate Practices. As with so much in security, there is no such thing as a common approach to risk assessments across the organizations we have spoken with. For some security activities this makes sense, as you must tailor your approach to the detailed realities of your organization. So far we have not found much of a reason why this should be the case for risk assessments: most Security organizations are trying to accomplish pretty much the same things with their risk assessments. Instead this seems to be an area ripe for “best practice” maturity improvements.
• Two Broad Categories of Activity. While most security organizations have several different activities they refer to as “risk assessments”, these seem to fall into two broad categories: 1) Specific, targeted assessments (e.g. assessing the risk of a specific application or a new business project), and 2) High-level reviews of the top risks facing the organization. In principle, it might seem to make sense to determine your high-level view of risk by aggregating the targeted assessments. In practice very few members do this, and from what we can tell this is probably appropriate due to the many well known challenges of risk quantification.

Most Security effort on “risk assessment” is devoted to the targeted assessments described above. The reality of these assessments is that they rarely assess risk, but rather are a look at vulnerabilities and the controls that should be present to address those vulnerabilities. Clearly it is not practical to perform a full threat model and impact analysis for every individual risk assessment, but there are several steps that members can take to better leverage these efforts:

• Standardizing the assessment processes and using standard risk and control taxonomies reduces effort and reduces the chances of missing basic controls.
• Leverage standardization-not in an attempt to create an all-inclusive view of your risks-but to monitor for trends such as commonly unaddressed vulnerabilities or frequently broken controls that can be a sign that new or redesigned controls are needed.
• Make sure you have a lightweight assessment of criticality, sensitivity, and/or business impact that project and asset owners can use to make a quick High/Medium/Low categorization. Such a categorization can be used both to prioritize control/vulnerability reviews, and as an input to those reviews to ensure that control recommendations are appropriate and not overly burdensome.

Fewer resources are spent on assessing high-level risk areas. Members interested in this should look into our Controls Maturity Benchmarking Service. Two quick looks at what IREC members view as the top information risk areas for 2010 and 2011 are here and here. We also profiled several alternative approaches to identifying high-level and new risks a couple of years ago.

Let us know what you would like to know about risk assessment.

However much this is part of a cyclical pattern, there are new aspects to the cloud that present new challenges to Security organizations:

1. Governance. Purchasing decisions are much harder to detect. A credit card and they’re up and running. Members tell us much of this seems to be happening in the Sales and Marketing functions, and cite this as the number one risk of the cloud (see figure below). These are so easy to set up that those who initiate the relationship may not so much think they are going around IT, they are just doing what people do naturally these days-getting stuff done on the web. This creates new problems for Security:
   • How can you detect these transactions?
   • Is it possible to create a policy that defines what is OK and what is not, or do all projects need to go through a security review?
   • If you did create a policy, what are the carrots, sticks, and awareness needed to make it work?
2. Requiring controls. With larger SaaS and IaaS vendors, there is little transparency into their controls, and the vendor will not change their security as a condition of your contract: the key to their cost efficiency is standardization and low transaction costs. Also, the vendors will rarely sign up for indemnification for when something goes wrong. IREC members are used to having the size to get their way with third parties, but the big cloud vendors aren’t that eager for each new small cloud contract. The balance of power has shifted.
3. Regulations. Unlike outsourced computing in the past, in many cases with the current SaaS offerings you do not know the geographic location of the data/servers. This can be a regulatory problem, for example:
   • Data that fall under the EU privacy directive
   • ITAR data
   • Encrypted data in countries like China that may require access to encryption keys
4. Vendor selection. There are a lot of apparently small SaaS and IaaS vendors out there, but many are just resellers of services from big providers like Amazon. What accountability and visibility have you sold to the intermediary for a lower cost?

The economics and agility provided by these services are unstoppable, so CISOs must create ways to manage the associated risks. First, CISOs need to understand the business side’s desire to use SaaS offerings and then use an understanding of the organization’s risk tolerance to decide what Security’s posture will be. Specific solutions we have heard about include:

• Offsetting desire for IaaS by building internal, private clouds, often using existing unused capacity.
• Creating clear definitions of data or processes that cannot be transferred to a third party without a security review. Ideally the restrictions are minimal, including only regulated data or crown jewels rather than all somewhat sensitive data, which can result in driving activity underground.
• Providing a list of approved vendors and a “getting started” guide to direct business users to safer cloud services. These guides should encourage submission of new vendors to ensure the lists continue to address user needs and keep Security aware of new cloud players.

What steps have you taken to address the specific risks of the cloud? Let us know.

Considering only this basic use of an ISMM, another one might seem to provide a welcome alternative point of view. However, previous Council research (see for example this and this) has shown that which ISMM you choose does not matter nearly as much as how you implement the ISMM. Furthermore, there are numerous additional uses of ISMMs that are not served with a new, proprietary ISMM:

1. Provide a standard language for security organizations to communicate.
2. Serve as a platform for the development of standardized security processes.
3. Allow for detailed benchmarking between organizations.

In 2010, 77% of large security organizations are using ISO 27001/27002 (this will be covered in today’s webinar on budget and organizational trends). ISO has become a near universal language for security organizations, except for those required to use NIST. This is why when the Council created our Controls Maturity Benchmarking Service, we avoided the temptation to try to improve on the existing ISMMs, and instead created a tool to help CISOs measure their controls maturity against the ISO and NIST standards. This has contributed to the popularity and usefulness of the Controls Maturity Benchmarking Service, which now allows organizations to obtain a detailed benchmark their security controls against those of almost one third of the Fortune 500.

• Their employees are two-thirds less likely to see misconduct and much more likely to report misconduct and operational failures.
• Managers that exhibit corporate values can improve employees’ performance by 12%.
• Their 10-year total shareholder return outperformed peers’ by 16 percentage points.

Unfortunately, three years of highly detailed data from nearly 500,000 employees at over 100 companies show that company executives have consistently rosier assessments of the health of their culture than non-executive staff. The research shows that nearly 60% of employees do not share bad news and negative feedback because they fear it will negatively impact their careers. Furthermore, employees would forego $1m to $10m in company earnings in order to avoid sharing bad news. Although these results were not specific to information security concerns, IREC believes they can be extrapolated to the security arena.

Culture, properly understood, is a risk control, and a control that impacts much more than just compliance. Making this intellectual leap helps companies understand how best to treat culture: as a measurable phenomenon. That is, critical cultural competencies should be defined, tested, and actively fostered. Companies should start by following these three simple guidelines:

• Equip managers to deal decisively and consistently with instances of misconduct or unethical behavior;
• Show the whole employee population—using real instances from the company—how the company deals with misconduct; and
• Close the loop with employees who report misconduct, so they know that appropriate actions were taken.

Related Research:
Managing the Threat from Malicious Insiders
Preventing Employee Misconduct
Preventing Data Leakage

What’s a CISO to do?

While accessing social media sites through the corporate infrastructure brings some risks around malware and the like, these are not that different in kind or in magnitude than general internet access. The main social media risks—data leakage and reputation damage—remain pretty much unchanged however they are accessed. IREC believes that—regulations permitting—organizations should open up social media access. The harm is low, and the benefits are large:

• First, you help shed Security’s image as the function that says “No.”
• Second, you will enhance collaborative opportunities in your organization.
• Third, and most interesting from Security’s point of view, you can monitor the traffic to the social networking sites.  This allows you to monitor for outgoing data, understand how users are using these sites, and identify individuals or groups of users for targeted social media awareness efforts. Why drive usage underground where you can’t do this?

For those who are reconsidering their social media access policy, here are some data we have collected on this topic. We have been asking our members about their social media access posture for more than two years now, sometimes in slightly different ways and across different venues. In all we have about 15 data sets, with an average N of about 20.  We narrowed down the responses to three categories: those who pretty much allow everything, those who pretty much block everything except for one-off exceptions for business purposes, and those in the middle who allow access for most users, but have significant limitations or focused technical controls in place. The data are a bit noisy, but we think the trend over the last year towards allowing at least controlled access is pretty clear.

Click for larger

IREC members may explore further with these resources:

Note: to find our complete collection of data sets like these covering all security topics, visit our Peer Polling Results Browser.

To learn more about our research in the social media space, attend our upcoming webinar Measuring End-User Social Media Behavior to Inform Policy Decisions on August 19. In addition we will discuss the social media results in more detail during the ongoing Annual Executive Retreat series.

• 35% percent are accessing the social media on their mobile device, regardless of whether social media sites are blocked by the company
• 15% are engaging in risky activities that are primarily work related such posting company or client information on consumer collaboration sites like Google docs
• Usage of social media for these high risk activities is higher in the non-management and middle management ranks
• Perception of social media risk is different from traditional end user IT risks like leaving laptop unsecured or sharing password

So what are the implications of these findings for the CISOs inundated with social media requests and looking for ways to mitigate social media risk?

Implication #1: Given a third of end users access social media through personal mobile devices at work, traditional blocking approaches will not work.

Implication #2: End user awareness is a key tool to manage end user risk and it should be specially targeted on end users using social media at work.

Implication #3: Unlike traditional IT risk awareness where senior management is usually least aware, social media training should focus on rank and file.

Implication #4: Finally, given that end users sometimes use the same social media space for both and personal work related activities; training needs to be more nuanced, and focus on both professional and personal usage of social media.

Members can learn more about our research in the social media space at our webinar Measuring End-User Social Media Behavior to Inform Policy Decisions on August 19. In addition we will discuss the social media results in more detail during the ongoing Annual Executive Retreat series.

• Greater business partner responsibility for IT. We have already seen examples of greater business partner involvement in IT through collaboration and the social media space, where HR functions are using social networking sites for recruiting and sales organizations have bought 500 SaaS licenses without having discussions with corporate IT and CISOs. This has major implications for CISOs as they lose their traditional listening posts from inside centralized IT and ability to prevent risky technology and software from entering the corporate IT infrastructure. Some CISOs already have lists of approved consumer devices but they should also start including SaaS-type applications that could be realistically purchased by the business in that list. Assurance for these applications might involve conducting third party assessments for “future third parties”. NAC’s maybe another technology that CISO’s would consider deploying further to ensure that only approved devices are connecting to the network.
• Diminished Standalone IT Role. As many IT resources get externalized or absorbed into the business services organization, the standalone IT function will become smaller. This implies the security function will need to have people with different skills. Security people in the new IT organization will need skills to work with business as well as other corporate functions, as we discussed our recent blog posting.

Do you see some of the overall trends affecting IT as outlined in the future of corporate IT and how do you think this impacts your function? Send us your thoughts; we would love to hear from you.

Denotes content for IREC clients. Following the link will log you in automatically or take you to a page to determine whether your firm holds a membership.

1) Information over process. Rather than providing business process automation, IT organizations will be tasked with providing information and value will be added by linking multiple different sources including legacy and unstructured sources to help with critical business decisions. With data becoming easily accessible and combined in useful forms there is always danger that: a) there are additional sources of data leakage, and b) data could be combined to reveal individual identity (i.e. “date of birth”, zip code, and gender could help you uniquely identify a person). Risk assessments that currently focus only on applications or even business process will need to be updated to include data based risk assessments and the scope of these assessments will need to double click on contextual data loss risk. Updating and training end users on data classification will also become more critical.

2) IT Embedded in Business Services. Rather than continuing to exist as a large standalone functions, infrastructure and applications will be embedded into business services. Over the past 2-3 years CISOs have retaken responsibility for security operations that had previously been devolved to IT, with ~ 80% of CISOs currently owning operations. As IT gets embedded into business services, the pendulum may swing the other way again, where CISOs will have to rethink the delivery of security without true ownership of operations.

3) Externalized service delivery. As delivery becomes predominantly externalized, internal functions will become brokers and not providers. For CISOs this would mean a renewed focus on third party risk assessments, with special focus on surfacing and triaging third party relationship, as well as increased use of certifications to manage the volume of assessments conducted by CISOs. In addition this will also require people with skills can effectively manage third party assessments which includes expertise in project management plus a hybrid of legal/audit/security expertise.

Do you see some of the overall trends affecting IT as outlined in the future of corporate IT and how do you think this impacts your function? Send us your thoughts, we would love to hear from you.

Denotes content for IREC clients. Following the link will log you in automatically or take you to a page to determine whether your firm holds a membership.

Our most popular post over the first year was about Five Properties of Passwords that Must be Managed to Reduce Risk.

We celebrated our anniversary a little early last week by updating the blog’s header with the Corporate Executive Board’‘s new logo.

We would like to thank everyone who has visited the site and commented on our posts for helping make our first year of blogging a success.

The Future of Corporate IT

Our research series on The Future of Corporate IT is based on interviews and surveys with IT and business leaders at over 200 organizations, and on our analysis of business, social, and technology trends. As a result, we find that there are five shifts underway that will radically change how technology is used to create value and how the IT function is structured and managed. These shifts will upend job descriptions across IT management and result in a massive translocation of IT do-ers.

The Five Radical Shifts

1. Information over Process
Competitive advantage from information technology will shift toward customer experience, data analytics, and knowledge worker enablement; consequently, information management skills will rise in importance relative to business process design.

2. IT Embedded in Business Services
Centrally provided applications and infrastructure will be embedded in business services and delivered by a business shared services organization

3. Externalized Service Delivery
Delivery will be predominantly externalized as vendors expand service provision and internal resources become brokers not providers.

4. Greater Business Partner Responsibility
Business unit leaders and end users will play a greater role in obtaining and managing technology for themselves where differentiation has more value than standardization.

5. Diminished Standalone IT Role
IT roles will embed in business services, evolve into business roles, or be externalized. Remaining IT roles will be housed in a business shared service group. The CIO position will expand to lead this group or shrink to manage IT procurement and integration.

Implications for Information Security

This section added after the original post.

We have a new series of posts about some of the ways these five shifts will affect the Information Security function.

Learn More

An executive summary of the work can be found here.

IREC members can download the 5 volume study and register for the series of teleconferences here.

Non-members can try for a limited number of seats to attend the teleconferences. Register here. Contact us for more information.