ISE® Northeast Executive Forum 2013

Big Data – Buzz Word or Way of Life?

Robert Zandoli

Dr. Robert Zandoli
Global Chief Information Security Officer
ISE® Northeast Executive Award Finalist 2010

Roundtable Summary

The data that businesses are processing has increased significantly in complexity, sensitivity and sheer volume. Companies have gone from routinely managing giagbytes and terabytes to petabytes and exabytes of data. As the amount of data flowing through networks has grown, so too have the ways in which organizations collect, store, use and share it. For example, companies are increasingly centralizing dilute data, storing data in public and private clouds and using third-party collaboration and social media platforms. Big Data, when properly analyzed, can deliver tremendous business value to an organization. But it goes without saying that centralized, extremely large volumes of data carry a significant security impact – both in terms of target-worthiness and security controls.

Today’s extended, cloud-based, highly mobile business world has rendered obsolete the prevailing security practices reliant on perimeter defenses and static security controls requiring predetermined knowledge of threats. Industry focus has shifted to put as much emphasis on broad threat awareness as it has on prevention, and knowledge is power when protecting information assets against cyber threats. Driven by the need to respond to respond to incidents in real-time, it’s predicted that Big Data will transform nearly all core technology segments in information security within the next two years, fuel intelligence-driven security models and reshape security approaches and spending. The result of integrating Big Data into security practices will be greatly enhanced visibility into IT environments, the ability to distinguish suspicious from normal activities and vastly improved capabilities for incident response.

Dive deeper into the discussions and share your ideas with your executive peers:

  • Do you believe that security data collection and analysis would be considered “Big Data” at your organization?
  • Properly securing and governing Big Data is a growing challenge. How can organizations best address the inherent security concerns - and, in fact, use Big Data analytics to improve the security posture?
  • The skills shortage - do we need data scientists to manage Big Data? What does Big Data mean in terms of IT security staffing levels?
  • Active or dynamic defense is a way to proactively deal with cyber attacks and may be the future of cyber security. While it emphasizes real-time information, broader situational awareness and speed, it also raises concerns about privacy, the sharing of classified information and the militarization of cyberspace. Agree or disagree?
  • What will be the nature of security analytics that enable security executives to take advantage of Big Data trends – whether by human analysis, or by analytics integrated within the platform?
  • From Big Data to Skynet. Big Data is being applied in new ways to enable security controls that are adaptive, risk-based and self-learning so that security is continuously evaluated and the level of protection automatically adjusted based on environmental and risk conditions. To what degree can Big Data in IT security remove the human element?
  • As organizations migrate from point products to unified security architectures, they need to think strategically about which security products they will continue to support and use. In what ways can solution providers best help organizations transition from legacy technology investments to open and scalable Big Data security tools? What impact is this likely to have on IT security budgets?

BYOD 2.0 – A New Era in Mobile Security

Cathy Beech

Cathy Beech
Chief Information Security Officer
Children's Hospital of Philadelphia

Roundtable Summary

Analysts predict tablet and smartphone shipments to reach 258 million and 1.4 billion units by 2016, respectively. Further, experts forecast approximately 186 billion application downloads by 2014. Most mobile applications and devices lack appropriate security features – leaving the threat landscape wide open. Facing increasing security risk, businesses are confronted with the question of how to make productive the use of the technology without taxing available IT resources or compromising the security of corporate data.

One camp of security experts advocates that the answer to BYOD is to secure the data, not the device. By implementing cloud-based, device-agnostic security models and application architectures, IT can move beyond device provisioning into the business of service provisioning. Others assert that enterprise security on mobile is an unsolved problem in need of innovation, and that there is a growing need for new solutions that go beyond securing the device to also secure applications with tamper protection and detection, real response as well as secure storage to enable secure mobile apps and transactions. With a goal of delivering a simple security solution that improves users’ confidence and experience, a new generation of mobile security companies is bringing ground-breaking, application security solutions and intelligence technologies to market.

A survey* conducted by T.E.N. to evaluate the perspectives and intentions of senior security executives and their organizations as they relate to BYOD underscores market readiness and a growing desire for new control technologies. A higher than anticipated 20% of respondents, for example, are using advanced capabilities of solutions to provide virtual machines and/or sandboxing techniques to users.

Dive deeper into the discussions and share your ideas with your executive peers:

  • According to the T.E.N. BYOD survey, mobile security is still a work in progress. While most companies implemented 6 controls, 18% of organizations employ 2 or fewer controls – while 14% of organizations employ 10 or more controls. What drives confidence in a control; and how can security executives best align risk with controls?
  • What are the realities of mobile application security versus securing only the mobile device?
  • What are the best practices in securing any mobile app, any device, any time?
  • Most enterprise IT departments are reluctant to get rid of existing solutions because the effort of untangling them from their internal systems is too difficult. In what ways can security executives champion a re-education and drive readiness within the enterprise for the coming change in mobile security?
  • For CIOs, BYOD is an opportunity to outsource cost to employees. To what degree does this represent a true cost savings?  What needs to happen for organizations to achieve a low mobile security total cost of ownership?
  • BYOD initiatives often create more headaches for CIOs than necessary. Should companies consider creating a Chief Mobility Officer to handle BYOD and other communications solutions associated with next-generation devices?
  • Uncompromised user experience and simplified operations are at the core of BYOD. What are the best practices in delivering on these expectations while reducing risk and delivering a secured environment?

*Survey was conducted from September through November, 2012 of over 150 senior security managers and executives who represent the peers of the Information Security Executive network.

Convergence of the Cloud – A Nexus of Forces

Denise Hucke

Denise Hucke
Executive Director
JP Morgan Chase & Co.

Roundtable Summary

There is widespread agreement that Mobile, Big Data and Cloud computing are the three cornerstone issues of tomorrow’s business environment. Their convergence will change the face of IT and will greatly impact the foundation of information security strategies. It’s not a coincidence that the profile of these three business challenges rose in parallel. Mobile, Big Data and Cloud are not siloed concerns easily addressed in isolation. They exist in an overlapping matrix, where the importance of each issue increases because it leverages, or helps solve, an issue raised by one of the others.

The convergence of Mobile, Big Data and Cloud is mirrored by the convergence of the Cloud itself. Converged cloud enables enterprises to incorporate a blend of public, private and managed cloud services with their existing IT to create a seamless hybrid environment that rapidly adapts to their changing requirements. While mobile devices and the cloud are changing the way infrastructures are built, applications are developed and information is delivered, the converged cloud represents an emerging technology platform that offers the flexibility and portability of applications and critical business data as well as the confidence and consistency in delivering the right services to users over time.

While many organizations are ready to move mission-critical apps and even regulated data to the cloud, security continues to be a concern. A survey* conducted by T.E.N. to evaluate the perspectives of senior security executives and their organizations as they relate to Cloud Security bears this out. For example, 52% of executives believe their organization is better at monitoring events, compared to 42% who believe the cloud service provider is better. Further, 84% believe it is harder to manage security in a cloud environment compared to in-house.

Dive deeper into the discussions and share your ideas with your executive peers:

  • What applications and data have you moved or are considering moving to the cloud?
  • Industry experts warn that public clouds are not traditional hosting environments and that migrating applications to the cloud is not the path to lower costs and flexibility. Rather organizations should focus on how to best leverage cloud platforms to transform processes and enable new capabilities to existing applications. Discuss.
  • One of the benefits of cloud computing is the cost efficiency of an operating expense versus a capital expense model, yet the cost of assurance can reduce any cost savings from moving to the cloud. What are the best practices in realigning budgets to address cloud security and manage risk?
  • According to the T.E.N. Cloud survey, finding effective ways to measure the health of controls has a way to go. Only 22% of respondents are actively monitoring. At 76% and 65%, there is a high reliance on contract language and third-party audits, respectively. Coming in at 32% each are initial onsite and periodic onsite visits. What drives confidence in a cloud service provider? To what degree can standardized assessments, better onsite checking and industry initiatives drive trust in cloud controls?
  • With convergence in the cloud, security organizations are challenged to find talent with cloud experience. What strategies are you using to develop the team’s technical proficiency in virtualized environments?
  • Mobile, Big Data and Cloud are all part of a single, converged and symbiotic trend. A partial strategy is worse than no strategy at all, and can leave organizations with an inflexible tactical implementation that requires a “rip and replace” approach. How can security executives ensure a harmonic convergence rather than a horrific collision?

*Survey was conducted from September through November, 2012 of over 150 senior security managers and executives who represent the peers of the Information Security Executive network.

Cyber Terrorism – A Clear and Present Danger

David Cass

David Cass
SVP & Chief Information Security Officer
Fortune 50 Company
ISE® Northeast People's Choice Award Winner 2013

Roundtable Summary

The wave of Distributed Denial of Service (DDoS) attacks against some of the top U.S. banks reveal the massive digital fire power and level of coordination and planning associated with next-generation threats – and demonstrate a remarkable evolution within the world of DDoS attacks. More widespread than generally believed – with over two-thirds of banks attacked within the last 12 months – these attacks leveraged the Cloud to direct upwards of 70 gbps of traffic to the affected networks. Beyond disrupting services and bringing websites and the associated eCommerce infrastructure to its knees, the attacks raise concerns that they are camouflage for other assaults. Further, other industries are at risk. Security professionals express concerns that large-scale attacks will be carried out on the information technology powering an element of the United States infrastructure, with utilities, energy and financial institutions being the more likely targets.

Cyber-terrorism is a mounting concern for industry leaders wishing to safeguard their brands, and industry research reveals that more corporate executives are more concerned about cyber attacks and data breaches than property damage and investment risk. As our reliance on the Internet continues to grow, the threat of DDoS attacks and cyber terrorism continues to expand. Organizations need to ensure operational continuity and resource availability with a vigilant DDoS mitigation approach if they want to conduct business as usual.

Dive deeper into the discussions and share your ideas with your executive peers:

  • DDoS attacks have existed for years, but the latest wave brings new threats to organizations. Why are traditional defense strategies and defense technologies insufficient? Where are they failing?
  • The level of preparedness against DDoS attacks is an evolving situation. How should enterprises defend themselves against this type of sophisticated threat? How does this change the way organizations must lock down their networks and systems?
  • Infrastructures are typically not designed to deal with DDoS or other blended threat attacks. How can organizations preserve their operating environment for its intended use? What are the best practices in establishing a first line of defense?
  • DDoS attacks generally spark the question: “Is it just us – or the industry?” How good is a rolodex of security experts and what role might Collaborative Security Intelligence and Co-Opetition play? What is the right frequency of communication with security expert channels?
  • Attackers are escalating the cyber threat by publically posting advance warnings of attacks. How should organizations respond to such threats? What effect does this have on customer communications, especially if a DDoS attack is successful?
  • It is speculated that DDoS attacks are a cover for other assaults.  What is the full potential of the attacks, beyond the initial denial of service? How must the current state of monitoring evolve in order to see all the details?
  • What recommendations for risk mitigation do you have for organizations that are at risk for attack?