Sliding IT security priorities put enterprises at risk

I read somewhere about the government’s intent to increase budget allocation towards fighting and creating cybersecurity awareness. The link was hidden somewhere towards the bottom of the newsletter; quickly I clicked through to read word by word the good news and realized that it was indeed true ! The chart showing CAGR was quite impressive with the trend line going north; then I looked again at the Y axis to find that the investment per annum was so low that the entire news was like actually too scary to be funny.

Not too long ago when I wrote about Creating Secure & Safe Enterprise, many CIOs and CISOs wrote back with their personal experiences; most of them agreed that their realities were reflected within. Some of the interesting facts that emerged is that budgets were a challenge, but then not really a challenge when an incident occurred. With corporate focus on short-term goals and measurement of tactical performance, the biggest challenge that everyone unanimously portrayed was that of sliding priorities with security settling close to the bottom.

Why is security investment such a drag when it comes to budgeting and spending ? Why do enterprises and with that I imply the CXOs who collectively represent the Management believe that they don’t really need to invest in protecting their information assets which are family jewels in most cases ? What creates such a lackadaisical attitude towards creating process, policy, and implementing tools that provide a secure framework to do business despite the fact that threats are increasing and businesses are losing customers, revenue and credibility !

Everyone agrees in principle that security is a must; they (the CXOs) espouse this in conferences and project themselves as the messiahs of information protection and security. When one such leader was asked pointed question on the budget allotted, he sidestepped the question deftly instead talking about how the industry needs to up the ante. The lip service that ignores the elephant in the room is beginning to hurt enterprises. The cause for such an attitude towards keeping the doors and windows open has to be deeper.

I am not that big and not an attractive target for anyone ! Why would any hacker want to breach our security ? Our customer data is locked up on one computer and only two people have access to it; they are both trustworthy. We don’t have anything worth stealing, so why would anyone compromise our systems ? We know internal threats are higher than external, we have information distributed across multiple solutions, so no one can decipher the full picture; we have locked USB, installed anti-virus and firewall, isn’t that enough ?

Is lack of awareness or education creating a false sense of security and complacency ? Or is it a belief that such things happen to others and I am safe ? Is CXO ignorance and indifference an acceptable proposition towards defining the security posture of an enterprise ? When you live dangerously sooner or later an adverse incident does occur and that is when the scapegoat syndrome always ends up pointing fingers at the CIO or the CISO, and/or the service provider. Breaking this paradox is the need of the hour for enterprises.

No one wants to fall sick or die but everyone takes health and life insurance ! Investments in security are like insurance to protect the business. Physical security has seen this paradigm shift with electronic tags and biometric solutions becoming the norm. With the number of threats increasing and new ones emerging, the education of CXOs is not just an imperative but an urgent need. CIOs, CISOs, Internal Audit, and Risk Committees have to own up the information protection agenda and drive it with their collective might.

Using ethical means to understand vulnerabilities and fixing them should be high in the corporate agenda towards creating a safer digital enterprise. Customers and consumers are becoming sensitive to this fact and the probability of them taking their business elsewhere is beginning to happen. A safe and secure ecosystem is required for the extended enterprise including suppliers, contractors, partners, and customers. The writing on the wall is that companies who emerge as secure digital enterprises will be winners of the future.

Where are you ?

Create the best policy but exclude me from it …

The compliance audit demonstrated significant gaps in the processes and policies which had put the new CIO in a quagmire on how to get started. The report was indeed incriminating to the internal and outsourced team; there were numerous cases of process being bypassed or ignored along with weak ambiguous policies and controls. The task appeared to be herculean and the team was smarting from the beating they had received from the CFO to whom the Audit team reported. The CIO had come on board a month back and was still undergoing his induction.

Every company that has an active audit function reviews compliance, risk and process strength linked to defined policies; the frequency of audit varies but at least once a year IT does figure in the calendar. They sift through logs, evidence of process adherence, change requests, documentation, defined standards, IT security, procurement discipline, and exceptions to all of these. For IT the exercise is fraught with danger when in the real world compliance is difficult with almost every senior manager requesting deviation to policy.

To get started the CIO decided to seek help from the audit team who had engaged one of the big audit firms. The audit team was surprised since none of the auditees had ever asked them for help; they dutifully connected the CIO to the Consultants. Citing conflict of interest, they recused themselves from the potential engagement. Not one to give up so easily, the CIO reached out to their competitors and engaged them in a full review of people, process, policy and technology towards creating a practical implementable set of policy.

Months and many iterations later the CIO was satisfied with the end result in which his team had contributed through the process. The classification of policies and associated procedures appeared comprehensive and pragmatic in their intent. The IT team was also content that finally they had markers that would leave little room for exceptions while the outsourced team who is responsible for execution will find it easier to comply. But before putting the plan to action, the CIO sought the opinion of the vocal CFO.

Weeks passed after the documents were emailed with no response; the CIO personally reminded the CFO of the pending request. Time was running short as the next audit was due in another few months and the CIO did not want another negative rating to fend. He also had dependencies on some of the other functions to work in tandem. Much nudging and cornering later the meeting was scheduled. The CIO had his team and the consultants on standby should there be a need to discuss some aspect in detail.

These policies are not user friendly ! The consultant has given you standard cookie cutter templates ! How do you expect senior management to comply with these ? We cannot be expected to change and remember complex passwords every so often. World over businesses are going digital; how can you have a draconian internet access or social media policy ? We need to allow people the freedom to engage with customers ! The world is going mobile; you should allow access to information on demand. You have to figure out a better way to implement security !

The CFO went on shredding the documents deriving satisfaction in his qualification and comment; the impracticality of the suggestions had the CIO wondering if ever the company will succeed in creating a framework that will protect the systems as well as allow for processes that are necessary towards good governance. His counter arguments were brushed aside by the CFO who was unwilling to listen in his quest to add value. The CIO thanked the CFO for his critique and decided to seek counsel from other CXOs towards implementation.

The rest who had lived with far more restrictive policies elsewhere commended the CIO for his rational real-world approach. Soon the next audit came and the results showed significant improvement in compliance which validated the approach taken. The CEO was full of accolades for the CIO while the CFO squirmed and then tried to take credit by highlighting his review prior to execution. The rest knew better and nodded to the CIO on the road taken and positive end outcomes. The CIO thanked everyone for their understanding.

A few weeks later when the CFO requested an exception to a policy which was denied as it required the approval of the CEO who was against deviations !

Creating safe and secure enterprises

Information and Cyber security is becoming a big topic of discussion extending beyond IT; in recent times it has definitely caught the attention of many country heads – Presidents and Prime Ministers alike. Conferences and Summits are being organized with discussions and debate around how to protect sovereign interests and secrets in many parts of the world. It is thus surprising that beyond a few industries like telecom and collectively the BFSI companies, there is very limited traction with CEOs and Boards.

Security breaches are increasingly creating adverse impact on enterprises; many high profile incidents have heightened awareness globally thereby removing the excuse of ignorance for decision makers.  Thus manifestation of interest is easily discerned by the presence or absence of a security function, irrespective of whether it reports to IT or not. Recent survey by global consulting companies indicate improvement over the years though the gap is still quite large to give comfort. Why the indifference or inertia ?

If we go back in time, systems were islands of information; information was exchanged between systems manually or through physical electronic media. Soon there was a way to connect multiple computers and they talked to each other within the computer room or data center. Improvements in telecom networks introduced the ability to connect distant locations though still within the enterprise. The advent of long distance data networks and the internet introduced new possibilities to connect with external stakeholders.

Standardization of data formats and published formats like EDI, XML, and integration using published APIs created new business models as well as collaboration opportunities with Extranets and Exchanges. The interconnected world also brought with it crooks, rogues, greedy and the disgruntled who wanted to disrupt business as usual and profit from enterprise loss. The industry responded with solutions to prevent intrusion, hacking, sniffing, direct and indirect attacks, attempting to create a shield around the end points and the transport layer.

IT was chastised for writing insecure programs that could be broken; they were never expected to write code that would be subject to threats from within or outside as their starting point was information islands. Remedial action demanded layers around the information while business upped the ante to demand information anywhere, anytime, for everyone. Moving from offline transactions to real-time information flow, programs were patched, retired, replaced and then left to run on uncontrolled machines thanks to BYOD.

Conventionally adopted protection technology solutions have been compromised; new vulnerabilities are being discovered every day. Patching remains the solace of the susceptible which lags the threats and their discovery. Evolution of defense strategies offers newer ways to safeguard the data but they come with a cost that is unpalatable to many enterprises. Challenge lies in non-existent to thin security budgets. Business expectation of quick and dirty solutions does not allow for adequate time to create secure solutions.

In conversation with a few CXOs, they expected regulators to enforce spends on security; according to one, spends will stay muted unless it is mandated. Another had instructed his CISO to find low cost or open source solutions; alternatively to selectively deploy security for specified endpoints or applications leaving the rest protected with basic anti-virus. To him no evidence of leakage imprtlied that all systems are well protected; head in the ground appears a good way of declaring enterprise information assets secure.

It is contingent upon senior enterprise leaders, CXOs and Boards to take up the cause and demonstrate leadership starting with visible endorsement of security for all information assets. Risk Committees are at risk should a breach become high profile with loss of credibility and customers losing trust. Recovery from such incidents can be long and painful consuming higher budgets and efforts than planned interventions; and when something does go wrong, necks roll. There are many examples of breaches claiming CIOs and CEOs tainting their illustrious careers.

It is upto IT organizations to include security by design into every new system they plan to build or buy. New technologies do offer opportunities to create secure solutions and they do not necessarily come from current industry leaders in solutions or security. The world is connecting in a way never imagined before. Collaboration has extended beyond B2B, B2C, C2C, E2C, C2C, to M2M, and new paradigms are created every day. Reality is the innovation wheel is spinning faster and faster, where are you in the game ?

Someone had quipped “You cannot do today’s job with yesterday’s tools and expect to be in business tomorrow”. And I agree, do you ?

A discussion with the CEO on server and storage sizing

It was time to refresh the data center with existing infrastructure completing its lifecycle; some of the equipment was end of life with no support available, the rest needed replacement to ensure that the company stays current with technology. The IT team gathered all the data and statistics on usage to arrive at new configurations that will serve them for the next 3-4 years. All interested vendors contributed to the technology evaluation with differentiated solutions promoting esoteric features that normally don’t matter.

The team assimilated the information overload with judicious sifting that created a clear picture aligning the need to the offerings. It was a fair comparison where technology took precedence over comfort with any specific vendor or technology. To be doubly sure, the team reached out to peers and seniors across the industry to validate the recommendation. After a few iterations, all of it came through as good to go. To conclude the exercise, a presentation was prepared for the CEO who would needed to approve the budget and bless the project.

The CEO was known to be a technophile who kept the CIO and the rest of IT on their toes; he was well read, well connected and at times deep dived into finer details that most techies would find hard to hold a conversation. He was the force behind the company adopting IT in the way they did, spending judiciously and yet remaining current with industry evolution; recent times had seen a slowdown in investments and it was time to play catch-up. D-day arrived and the CIO along with the team was ready to present.

Why have you chosen the configuration that you present ? What are my options with engineered systems or for that matter Public Cloud ? Why do I need to invest in 50 TB of storage upfront; how can I stagger the deployment ? Why have you chosen 12 core processors over 16 core ? Why not 1.2 TB disks or SATA drives which offer higher capacity ? Why is the number of VMs so low per physical box ? Where is your Cloud strategy ? The discussion went on for an hour with the CEO throwing question after question at the team.

The team could field only some and ran out of answers after some time; they promised to rework the solution with clarifications sought and inputs given. They were not expecting the kind of questions asked, they had prepared the business case based on transaction volume, new systems underway and planned, business growth and new initiatives that the business had planned over the next few years. It was as if the tables had turned on them with the CEO going technical while they had focused on business outcomes.

Is this a reality for large number of CIOs or just an exception to the rule where CEOs and CXOs rarely get into technology discussions citing ignorance and the fact that they find technology unfathomable ? Scanning the horizon I find that this breed of techno savvy CXOs is beginning to grow; they may not be able to differentiate between SAS and NL-SAS drives or size storage based on IOPS, they do understand basics that matter and are able to hold their own based on reasonable understanding of technology; all thanks to tech going mainstream media.

This world is antonymous to the world I wrote about last week (My CFO thinks he knows technology). There are people who know technology and use their expertise where it matters and there is a breed who thinks who know and want to show off in various forums. The first engage and challenge you to find better solutions, the other group ends up being a pain with their pseudo expertise. It takes little effort to see through the façade of the latter who can derail the best of hard work by seeding random thoughts of doubt.

Having worked with both camps, I found that opportunities can be created with the technophiles to engage and innovate depending on your risk appetite and ability by staying updated with finer nuances of technology. This may sound contradictory to the well beaten drum that CIOs need to move away from technology to business; my view is that CIOs cannot leave their foundations for purportedly greener pastures; they need to stay grounded in their domain while learning the newer skills and moving forth.

After all if the CFO does not know about IRR, NPV or ROA (Return on Assets), s/he will become a liability to the organization !