Computerworld Philippines :: CIO Roundtables :: Mitigating Security Risks in Turbulent Times

Peer Perspective. IT Leadership. Business Results

Mitigating Security Risks in Turbulent Times

By the Computerworld Philippines Staff
October 1, 2009

The global credit crunch has changed the way many companies conduct and manage their businesses that managing and mitigating all kinds of risks has become an increasingly popular practice. One area that is vulnerable and prone to attacks during turbulent times is the IT security infrastructure, prompting companies to become more vigilant and update their security policies.

Thus, for this issue’s roundtable feature, Computerworld Philippines asked three IT chiefs to share their thoughts and strategies on managing security during an economic crisis.

“Actually, there is no peace in information security. We constantly face the threats, old and new, regardless of the size of the company and the economic conditions,” reveals Philip Casanova, AVP & head, info security, China Banking Corp.

For his part, Edwon Fallorina, director for IT & head of systems, e-Scribir, Inc., says that mitigation and problem-solving requires a substantial amount of company resources.

Ricardo Carreon, assistant vice president, MIS, Fortune General Insurance Corporation, had this to say: “Companies should be on their guard in protecting their data and employing audit procedures to mitigate the security risks and minimize possible terrible results of security failures.”

Excerpts of the roundtable discussion follow:

Computerworld Philippines: What do you think are, or would be, the effects of the current economic crisis on a company’s security infrastructure? What would be the biggest security risk?

Fallorina: The biggest security risk is the insider threat. It presents a major threat that the common perimeter security defense model isn’t well adapted to deal with. The insider threat isn’t just about the physical and online users. It’s also about the insidious devices someone might leave behind, like malware on the network that can keep doing damage long after it’s been planted. It can do a lot more damage than the insider person.

Casanova: The current economic crisis has changed so many ways in how we conduct business. The virtue of prudence has been resurrected and is now a main ingredient in corporate governance especially in decision making. The crisis has also brought about new threats and, at the same time, it also awakened old sleeping threats, thus, fraud is likely to increase at these times of crisis.

Chief Information Security Officers (CISO) like me are expected to achieve more with the same or less budget and manpower resources. “Lean is in,” as the saying goes.

There is a resounding and short of a stern warning from the board and management to ensure compliance to requirements of regulatory bodies and stakeholders. In our case, we need to comply with the Central Bank’s regulations. Also, the awarding or renewing of a major outsourcing deal depends on their Payment Card Industry – Data Security Standard (PCI-DSS) certification.

The board and management are more aware about information security issues. The usual style of using Fear-Uncertainty-Doubt (FUD) is not effective anymore. Prudence is exercised by board or management committees in any information security related spending.

Actually, there is no peace in information security. We constantly face the threats, old and new, regardless of the size of the company and the economic conditions.

Carreon: The current economic crisis amplifies security risks on a company’s infrastructure. As the crisis continues to step up, companies look for ways to save money by cutting IT budgets and decreasing expenses on their security infrastructure. Consequently, businesses are exposed to an increased risk of data infringement or intrusion.

CWP: How Can Security Risks be mitigated during an Economic Crisis?

Fallorina: Mitigation and problem solving requires a substantial amount of company resources. To be able to maximize the operational costs needed in risk mitigation, the “Process, People and Technology” framework is always recommended and has proven to be the most efficient and effective approach in implementing risk management and mitigation, not only during economic and financial crisis but also in all aspect of project management.

The process aspect of the framework always starts with the business process review and validation. Here we identify our “AS-IS” processes and understand current organizational and functional structure of the organization. Identify processes which are vulnerable and implement measures to address process gaps that can result to information security risks. It’s also important to benchmark current security practices against available and application sound practices of other companies.

It is also critical to document processes and draw high-level process maps including high risk processes. Identify the information or data that should be protected. You should know what should be published to the public and what are the data or information that should be kept and protected especially those with high commercial values.

As for the “people” aspect of the framework. Insider threats are more dangerous and successful than external threats. So it’s important to know your people at the back of your hand. Be vigilant and always keep an eye on suspected personnel. Always do background checking with new or returning employees.

There are also non-technical threats which need to be identified, such as disgruntled employees, lack of education, corporate espionage, and misuse of IT privileges. So have your employees sign confidentiality agreements as well as non-disclosure, non-circumvent and non-poaching agreements

Now once you’ve identified the operational risk during the business process review or you had identified insider/internal risk, you can now select the most effective technology available to mitigate security risks within your organization. ROI calculation for the security mitigation implementation will be easier. I believe in the philosophy, “you can only manage what you can measure.”

Carreon: Companies should be on their guard in protecting their data and employing audit procedures to mitigate the security risks and minimize possible terrible results of security failures. They must always introduce improvements on their IT system by updating to more modern and better but cost effective security devices. It is also advisable to adapt changes in new policies and procedures even if those might require new investments in keeping technology infrastructure safe. A regulation a company can implement is to restrict the use of popular social networking sites and Internet instant messaging systems.

Be aware and cautious of the so-called “Sneakernet.” From Wikipedia, Sneakernet is a tongue-in-cheek term used to describe the transfer of electronic information, especially computer files, by physically carrying removable media such as magnetic tape, floppy disks, compact discs, USB flash drives, or external hard drives from one computer to another. Sneaker refers to the shoes of the person carrying the media. This is usually in lieu of transferring the information over a computer network. Though this mode of data transport has a trade-off advantage between latency and bandwidth, it causes an extra load on internal and external security.

Cassanova: It’s about time to update the organization’s information and information system’s risk management strategy. This will give the organization a high-level understanding of the risks and the corresponding strategy to mitigate these risks.

Generally, we follow a number of important steps when developing or updating our risk management strategy. The steps would normally include identifying the information assets and indicating its value; determining the threats to these information assets with the corresponding likelihood and impact of these threats; and computing for the resultant risk by using the information asset value, threat likelihood and the threat impact.

We then review the resultant risk together with the effectives of the compensating controls to address the threats identified. This is now what we call the residual risk.

Risk management strategies are then developed to address the Residual Risks. At the minimum, the strategy must include organization, process, and technology implementation initiatives.

The strategy should then be presented to the board, management, and other stakeholders.

CWP: What areas of an IT infrastructure should be fortified?

Carreon: There are several areas of an IT infrastructure that should be fortified. Importantly, these are the security procedure compliance, network access and identity control, data protection and document leakage. Security procedure compliance must always be observed by conducting a more regular monitoring and review of the rules and regulations set for network infrastructure utilization. Network access and identity control must always be audited by adapting a stricter network users profile maintenance. Deploying more advanced security devices helps a lot in this area. Sneakernet must be controlled to have data protection and eliminate document leakage.

Fallorina: Defense against unauthorized access to information always starts with the implementation of policies, procedures and awareness campaign, followed by the tightening of the physical security. Fortification starts with the perimeter and internal network layer followed by the host (desktop and servers) then the application layer and the most important to be secured is the data.

Cassanova: I have always used organization, process, and technology when I categorize risks and strategies for information and information systems.

Organization includes ensuring that there is a governance structure, security awareness, and measurement of security program’s effectiveness. Process includes the information security management activities such as risk management, logical access control, physical and environmental security, incident handling, data classification and handling, third-party reviews, and business continuity management. Technology includes software and hardware solutions to aid the proper implementation of the information security processes to ensure the protection of information and information systems (i.e., application, server, databases, network, desktop, and hand-held device). Some examples are firewalls, intrusion detection/prevention systems, data leakage protection, hard disk encryption, biometrics, access control cards and tokens.

CWP: What strategies, methods or technologies would help a company fortify these critical areas?

Fallorina: Implement security awareness campaigns within your organizations. Institutionalize and ensure strict implementation of IT and security policies.
Implement intrusion detection systems (IDS) using network IDS, host IDS, and honeypots. It is also important to implement IDS management systems by incorporating event messages from third party security products.

IDS should always be an additional protection mechanism. Filtering, hardening, patching, and system monitoring are more important. Products should just be selected from players with reputation in the security management. Select security vendors who can offer the full products spectrum and features interoperability and cross platform.

Think like a “Hacker” and should be familiar with “What Hackers Don’t Want You to Know.”

Currently, we are monitoring more than 200 attempts daily wherein 3% are coming from the country and 1 % of those identified coming in are from local business competitors. Our spam and virus filtering system rejects more than 400 emails daily with potentially unsafe links and contents.

Cassanova: Innovation is the key to manage the challenges brought about by this global economic crisis. This was noted by experts long before the current economic crisis smacked us. Innovations should revolve around the organization, process, and technology.

More than ever, CISOs must align their security programs with the business strategy. Whether we like it or not, a good business case is required to get approval especially at this time when money is hard to earn. So empower your organization. Move on from the “cops and robbers” game. Don’t wait for IT or users to make a security violation. Train your IT guys to configure and maintain secured systems. Teach your employees about information security through various awareness campaigns.

Use established processes, don’t reinvent the wheel. Leading practices are widely available. ISO 27K series has been maturing. They now even have a guideline on Information Security Risk Management (ISRM) under ISO 27005. The cisecurity.org has been consistently providing us with benchmarks and scoring tools to commonly used technologies.

For technology, security information and event management (SIEM) is becoming a necessity. This has a sure business case for medium to large scale businesses given the benefit that a significant number of man-hours will be reduced in monitoring system intrusion logs. The risk management process is already ripe for automation.

“Consider” using free security tools for the short or medium term requirements but, again, with caution. Make sure it has been tested thoroughly and independent reviews or user feedbacks are available.

Possibly Related Posts: