Archive for the ‘business alignment’ Category
Cyber Theft of Corporate Intellectual Property: The Nature of the Threat
Here is a recently released report, developed by The Economist’s Intelligence Unit (EIU) about intellectual property theft that I had the opportunity to assist with. I was one of the 10 security professionals that they interviewed, along with others such as Eugene Spafford, Alan Paller, and John Stewart.
The unique thing about this report is that it was supported by a March 2012 survey of 352 business executives, of which forty-two percent were board members or C-level executives, including 95 CEOs – a collective group that is rarely queried about their thoughts regarding information security. As a result, the report helps to illuminate the beliefs of senior leaders as it relates to the importance of information security.
Of interest is the discrepancy between the perceived holistic frequency and distribution of intellectual property theft relative to what senior leaders have directly experienced within their own firms. Because while survey respondents suggest that cyber-based IP theft is “rampant” or “occurs regularly”, the vast majority (62%) of respondents stated that their firms have not experienced a serious incident. So either the threat of IP theft is overblown or a majority of senior leaders are unaware of the level of IP theft occurring within their firms.
Creating an information security annual report
This seems to be a banner year for security breaches. It seems that almost daily we see headlines about a new breach… Sony, Citi, Google, Lockheed, Epsilon, L3… the list goes on and on. It is therefore no surprise that senior leadership is now–more than ever–interested in understanding the status of the security programs which protect their businesses. But how do we communicate the status of our security program to our leadership? I suggest that we use an information security annual report.
Today’s Approaches
Typically as technologists we gravitate to things like the number of critical vulnerabilities, network connected systems, systems with elevated privileges and the like. But let’s be honest—senior leadership rarely (if ever) understands such measures, so we need a better way of contextualizing the information for them.
Another approach is to pull out audit and compliance reports. Things like the annual FISMA reports provide some level of performance measurement by giving grades for information security. But compliance is not always a good indication of security posture because it is focused only on control effectiveness (not the threats), is not tailored to the organization (Agriculture is treated the same as Homeland Security), and fails to measure the success of security as it relates to supporting business objectives.
Benefits of an Annual Report
In an effort to address the weaknesses I suggest the creation of an information security annual report. This report will focus on a variety of success factors which span mission support, technical security, compliance, future initiatives and risks. This type of report has several benefits.
First, it can be tailored to suit your organizational needs. Want to speak to your success in compliance? Include it. Management doesn’t care about low-level technology? Don’t mention it. Your team wants some visibility for their accomplishments? Add in names next to each achievement.
Second, an information security annual report can be used as tool to communicate your program to external stakeholders. Use it to orient auditors to the strengths and weaknesses of your program. Use it when speaking to peers to baseline your program relative to theirs. Use it when speaking to clients who want to better understand if you can effectively protect their data. There are many potential applications.
Third—and most important—the report can be used to communicate the status of your program to senior leadership and the broader workforce. Just as an annual financial report describes the current status of the business and associated risks, an information security annual report should describe the current security posture, key initiatives, forward-looking projections and risks to the program.
Information Security Annual Report Outline
Because an information security annual report is necessarily specific to an organization there is no way I can do justice to the entire spectrum of things that could be included in such a report. Instead, I will provide a high-level outline of a typical report that I use to give you a good idea of some key areas to focus on. Don’t be constrained by this outline, it should just serve as a basis for your own tailored report.
1. Executive Summary. Your audience likely is strapped for time so stick to the facts – bullet point the highlights of the report into one summary page. Speak to things like budget performance, partnering with the mission, event remediation times, SLA performance, audit performance, etc.
2. Aligning Security with the Mission. Use this section to describe the inter-linkage of the business strategy with that of the security program. Include a graphic of the security strategy, speak to things like business impact analysis (and associated activities), workforce communications, which business activities the security budget is being spent to protect, etc.
3. Security Supporting Organizational Agility and Resilience. Whereas section 2 is focused on business alignment, this section speaks to how security is supporting the technology which underpins the business. Highlight things like business and technology mapping, security usability and specific activities which enable the successful execution of the business such as transmission encryption to facilitate secure transactions, collaboration security to enable R&D partnerships, implementation of mobile security to aid new service offerings, etc.
4. Measuring Cyber Security Performance. This section should be heavily focused on quantifiable performance measures—but only those that can be reasonably understood by your audience. Examples include event remediation times, reduction of audit findings, systems with configuration management, systems continually scanned, etc. Note: always try to use percentages rather than raw numbers as they are easier to contextualize.
5. Plans to Leverage Security in New Ways to Create Competitive Advantage. This is your opportunity to describe the new initiatives you are or will be undertaking to differentiate your program. Ensure that you tie each initiative with a specific goal and align it with a strategic business area. The key here is to demonstrate that you both understand the needs of the business as well as how to deliver solutions to those needs. Don’t just list “Data Loss Prevention”, show which business unit it will help and if possible, show (financially if possible) how much it will help.
6. Security Technology Capabilities. Now for the geeky part. This is an opportunity to show the reader that you have a robust technology suite in place to help ensure ongoing protection of the business. If possible, create a bulls-eye chart and list each technology at each layer, starting with perimeter defenses and then building inwards. This helps the reader to visualize the layers of protection and allow you to direct the reader to areas of deficiency.
7. Risks to Continued Progress. At this point you have described the status of the program and can now layout the risks. Some typical risks to consider for inclusion are a significant security event (leading to data loss, outage, etc.), regulatory risks, user errors (malicious or accidental), budget risks, and talent acquisition and retention.
8. Cyber Security Team Contributors. Don’t overlook the benefit that an annual report can have for your staff. Not only have they worked tirelessly to secure the organization, they have helped you to realize your vision of enabling the business with best-in-class security. Recognize them for their efforts.
Final Thoughts
As you probably already guessed, you will want to be sure that you understand (and align with) the business you are trying to secure, have a codified security strategy in place, and have some meaningful performance measures that you track. But assuming you have those core components implemented then creating an annual report is just a natural extension of those activities and provides a meaningful way to promote your program’s progress toward business goals.
So there you have it, an outline for an annual information security report. I hope that you will take some time and consider developing one for your program. It won’t stop the next major security breach but it will certainly help you communicate the status of your program to interested stakeholders.
If you are interested, I have redacted versions of annual reports that I have used in previous roles that I would be happy to share. Feel free to reach out to me if you are interested.
Thanks
Jamil
Revenues, risk and reality
There is an excellent article on Venture Beat regarding the recent Playstation Network (PSN) compromise which demonstrates why we must tailor our programs based on business revenues when determining our loss exposures rather than blindly subscribing to arbitrary account-based assumptions published by organizations like the Poneman Institute.
So let’s work this one out and see which loss estimate seems more plausible:
Revenue-based:
Michael Pachter, an analyst at Wedbush Morgan, estimates that Sony makes about $500 million in annual revenue from PSN sales of downloadable games, movies, music etc. So that comes out to about $10 million per week
This article is a bit dated (published on 4/26) and we now know that Sony is also likely going to give all PSN customers some additional freebies, likely 30 days of some free downloads. So let’s just presume that this equates to another 4 weeks of lost revenue. Therefore, Sony was out for 2 weeks due to the compromise, equating to about $20M and we will add in another $40M in customer retention fees and credit protection, which results in an estimated total loss of $60M.
Account-based (Poneman report estimates):
But Forbes cited a study by the Ponemon Institute, a think tank on security, that estimated the cost per person for a data breach is $318. That means the potential cost of the PlayStation Network breach could be more than $24 billion.
So if we use the account-based loss estimates we derive a loss expectancy of $24B based on the 77M accounts that were compromised. If we use the revenue-based approach we derive a loss expectancy of about $60M (which is actually a bit exaggerated due to the fact that the PSN business model is not subscription fee-based).
$24B vs. $60M…which makes more sense? Let’s do a back of the envelope break-even analysis to put this into context:
Poneman says that the loss estimate per account is $318. That will be our “fixed cost”. Sony generates $500M/yr for the PSN service and has 77M accounts, which means they make approximately $6.49 in revenues per customer per year. And from the article, Sony is generating 30% margins. So $6.49 *.3 = $1.94 in profit per account. Therfore, variable costs = $6.49-$1.94=$4.51/acct.
So when we put these numbers into our breakeven analysis, we determine that if Sony were to experience a $24B one-time expense for this event, then it would take Sony 165 YEARS to just break-even. What does that tell us? It says that either Poneman is incorrect or the Sony management does a horrific job of risk analysis.
Maybe Sony underestimated the risk of loss due to a PSN breach, but based on their actions it is clear that they are not scrapping the PSN service, which indicates that management believes the losses are going to be much closer to $60M than $24B. This case is a great example of why I continually argue that as a profession, we must measure our loss exposures based on the business unit revenues. At the end of the day, if the actual loss exposures were anywhere near what the account-based estimates suggest, then every company would spin-off all of their business units to avoid this type of exposure. I mean, why would any reasonable manager accept the risk of a $24B loss when the unit is only generating $500M? They wouldn’t.
The beauty of aligning your loss estimates with revenues is two-fold. Not only does it give you more accurate estimates, it is also much easier since revenue numbers are easy to come by and are directly applicable to your specific organization.
Security and Business Alignment
I had the pleasure of attending the CSO Perspectives conference a couple of weeks back and participated in a security and business alignment panel. I expected it to be a typical discussion on the topic, but during the Q&A an interesting dialogue started on the topic of whether Epsilon’s security program was aligned with its business. For the most part, the audience suggested that the Epsilon security program was not aligned – but then one of the CISOs challenged the audience by saying that he believes that the Epsilon security program was aligned. Why? Because it is a low margin business and the additional cost of improved security would have made them less competitive.
To answer this question, we must first ask ourselves what security and business alignment actually means. I’ll start with a personal story about alignment of expectations: The other day I was riding my mountain bike down an off-road trail and I came to a 6ft drop. I stopped, assessed the situation, and decided to dismount and walk past the drop. I understood the risk, the likelihood, and the potential impact of riding down the drop – and I balked. Call me a sissy if you want (my friends did), but my expectations were aligned. I knew that I had a fairly high probability of face-planting upon landing and I didn’t want to look like Scarface for the rest of the month.
In the end, this is the essence of alignment – one knows the risks, the likelihood, and the potential impacts, and then makes a decision either for or against continuing the activity. We won’t ever truly know if Epsilon was aligned or not. They were compromised as a result of poor security, but who is to say that it wasn’t a pre-meditated decision to not pursue more advanced security controls? Did the security program adequately characterize the risk, understand the likelihood, and quantify the impacts? If they did, and there was a decision to go-ahead without the additional security controls, then I would tend to agree with the CISO who suggested Epsilon was aligned.
At the end of the day, I posit that security and business alignment is realized when the business is aware of the risks and can make meaningful decisions on the information. So just because an event occurs, it does not necessarily mean that security and the business are not aligned. As Dr. Robert Oppenheimer once said “If the probability isn’t zero, then it will happen” – and the same holds true for security. We just need to be sure that we understand those probabilities and associated impacts so we can manage to them as best we can.
Risking Alpha 