One of the memorable quotes from the movie Bull Durham was: "This is a very simple game. You throw the ball, you catch the ball, you hit the ball." Information security is like baseball-you encrypt the data, you decrypt the data, you use the data.
As 2011 starts, the key to data security is to focus on both the security fundamentals and look to new technologies. Here are some of the fundamentals:
Governance and oversight. Why do many enterprises place their laser toner cartridges in a locked room? Everyone knows that even with all of a bank's dedicated employees, a few bad apples can make a lot of expensive office supplies disappear quickly. But are the terabytes of a bank's data adequately locked? If not, a ten dollar USB thumb drive can download unimaginable amounts of corporate proprietary and sensitive confidential data.
Where does the security buck stop? The reason a bank has a CFO is to ensure the management of financial risk, in addition to effective financial planning. Just as your finances need a smart person to be on top of them, so too does your data. Even if your data is locked, is there a person who's charged with overall governance and oversight around all things information security? If not, you don't have information security. If there is no security oversight, kiss your data goodbye.
If your chief information security officer (CISO) is not at least as smart as your CFO, then you will have much less control over your data. Given that data is the lifeblood of many organizations, the lack of an effective CISO can be information suicide. Only an individual with strong business savvy and security knowledge can oversee security planning, implement policies and select measures appropriate to business requirements. That person is the CISO. Make sure your firm has one.
Security standards. They say about Chicago that if you really hate the weather, just wait an hour, and it will probably have changed by then. Computer security is like Chicago weather-it's dynamic and there are always new threats on the horizon. Strong corporate security standards are needed to deal with the new security technologies that will find widespread adaptation in 2011. Be it social media, cloud computing, videoconferencing and more-these technologies must have security standards upon which they can be built. Lack of standards means that security will eventually have to be retrofitted. The significant problem there is that any sort of retrofit is always a much more expensive endeavor than had it been done correctly in the first place.
Demonstrate the value of security with technical and financial metrics. Your CEO, COO, CFO, and executive board don't care if you use Check Point or Juniper. What they want to know is how effectively the bank is protected. Communicate that the bank's risk exposure is in check. If you can demonstrate to the executives that the security group uses mature risk frameworks to manage the bank's risk posture, you'll have won them over.
Scare them, but don't FUD them. Once again, you can assume your board members are very intelligent to have been appointed to such executive leadership positions. So don't use fear, uncertainty and doubt, but instead, let them know that it is no longer "their mother's network."
The threats facing most networks today are significant. The Yankee Doodle virus of the 1990s did nothing but annoy you. But today's attacks are targeted and stealthy. If you are a Fortune 500 organization and not discovering at least two attempted attacks per week, then you need a better monitoring program.
Open source is your friend. If you asked someone 10 years ago if you could have "no zero" for security software with a strong security program, you would have been laughed at. Today, no one is laughing at open source security software and tools. The essential benefit of open source is not necessarily that it is free; rather, that organizations that use open source generally understand their problems better. They take a more tactical approach to security fixes by using open source.
When combined with a highly technical staff, my experience is that banks that have embraced an open source security program generally have a much better understanding of their core security issues, as opposed to blindly throwing tools at the problem.
Not that open source is a panacea. When open source tools are deployed and configured incorrectly, they can introduce more risks than they stop. But banks that realize that open source can be their friend and embrace it are generally those that truly "get" information security.
Know the hot security technologies for 2011. Core security technologies such as firewalls, encryption and intrusion detection will continue to be needed in 2011. As well, some of the hot security technologies for this year include those that enable banks to secure corporate data on iPads or iPhones; protect against targeted attacks-the recent Stuxnet malware attacks show that targeted attacks are growing, and banks need a way to avoid them. Social media control: banks such as JPMorgan Chase, Citi, US Bank, and others have created corporate pages to interact with their clients; other banks will look for security controls to ensure they can use social media without the security risks.
Ben Rothke CISSP, CISA is a senior security consultant with BT Professional Services and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill).
