If consumers weren’t skittish enough, Home Depot recently joined the rapidly lengthening list of big box retailers experiencing sometimes prolonged data breaches: Albertson’s, Dairy Queen, The UPS Store, Sally Beauty, Target, Michael’s, Neiman Marcus, P.F. Chang’s and SuperValu.
More than a few Chief Information Security Officers (CISO) must be nervous. In fact, it may be forcing corporations who do not have a CISO to rethink that strategy. Often the CISO position is folded in with or serves under the Chief Information Officer (CIO) or even, if the CIO reports to the Chief Financial Officer (CFO), as is the case in some organizations, two layers under the seat of power. So, the person charged with security risk management may not have the authority to get things done.
With the recent spate of high profile data breaches, translating the message up the chain or even the perception that the CISO’s job is not important enough to be a direct report may not cut it anymore. Shareholders and customers want answers.
Consumers also are flocking to convenient online sites, where they have few other choices than to use a credit or debit card.
Data breaches, whether prolonged or short lived, especially those that compromise customer information, are black eyes that eventually will force consumers to keep their credit and debit cards at home. Having the man or woman in charge of mitigating IT risk fairly far down the food chain doesn’t look good, no matter whose ear he or she may have.
Each year since 2005, SecurityDreamer blogger and industry analyst, Steve Hunt, conducts surveys of end user security executives, tracking trends related to the business of security. We cover physical security and IT security equally at SecurityDreamer, carving our unique niche in the industry. Here is a taste of our findings. Sorry, the complete findings are not available except to Steve Hunt’s consulting clients and participants in the research.
I find that narratives yield more insight and are more accurate than statistics. Therefore, the SecurityDreamer approach is to conduct dozens of personal interviews, by phone, email or in person. Each interview covers a subset of topics. Data gathered is generally qualitative and anecdotal, rather than quantitative.
Consultants, Use of
Identity & Access Management
Operational Best Practices
Physical Information Protection
Strategy & Planning
Technology Lifecycle Management
Approximately 50 companies participated in the survey, representing 11 industries.
Summary Findings from the SecurityDreamer Research
While operational security budgets saw little growth across all industries, spending for new projects increased steadily in Energy, Finance, High-Tech and Entertainment. New IT security and physical security projects most notably included
- Security operations centers
- Virtual command centers
- Security information management systems (SIEM, PSIM)
- Networked cameras and sensors at high-risk facilities
CSOs and CISOs complained that their greatest business challenge is metrics: Normal operational metrics, such as improved response time to security incidents, or numbers of malicious code detections are not compelling to business leaders. Security executives seek better ways to calculate ROI, justify purchases, and measure the success of deployments.
Most Surprising finding of 2012
Collecting Company Wisdom. Far more companies in more industries are documenting processes than we’ve seen in previous surveys. Continual Improvement (a la Baldrige, Kaizen, Six Sigma, etc) appears to be the primary motivation. Security executives realize that much of the know how of security operations resides in the heads of its local security managers. In a hope to benefit from the sharing of this business intelligence, companies are using a variety of techniques (surveys, performance reviews, online forms) to gather it.
Least Aware of This Threat
Physical threats to information rose to the top of the list of issues about which CISOs and CSOs know the least. Every security executive we interviewed had an understanding of physical threats to information (unauthorized visitors, dumpster diving, etc) but almost none had studied or measured the risks associated with physical threats to information, nor did they have in place thorough procedures to protect against it.
Least Prepared for This Threat
Two related concepts represent the threat for which nearly all security executives feel least prepared to address: Social engineering and physical penetration. Every security executive confessed that confidential company information was as risk of social engineer attacks (phony phone conversations, pre-texting, impersonation, spear-phishing, etc.). Physical penetrations were even more frightening to some executives who were certain that their confidential company information could be collected and conveyed out of the building (in the form of printed documents, photos, memory sticks, etc) by
- an unauthorized visitor tailgating into the building
- an attacker bypassing security controls at doors and fences
- rogue employees or contractors
- an internal attacker of any type
I hope you can catch me this week (September 19-23). Either attend a webinar on secure uses of the Cloud, or grab my lapel as I walk the show floor at ASIS in Orlando.
Here’s info on the webinar. Wednesday, Sept 22, 1-hour Webinar titled “Xerox and Cisco: Partnering in the Cloud”. I’ll be speaking along with Bill McGee from Cisco, and RG Conlee from ACS, a Xerox Company. I’ll explore the true benefits of using the cloud, understanding and mitigating the risks of the cloud, and how to best prepare for using the cloud. I hope you can join me.
At ASIS – the largest physical security professional conference in Orlando – this week I will be speaking at several private company events, but you can still find me on the floor. I’ll be excited to tell you the developments of the first venture-funded convergence consultancy I’m now heading.
Secure the Business!
SecurityDreamer Events are Back!
We bring together end-user executive decision-makers and influencers from important corporations and public organizations in cities around the world. Hunt Business Intelligence shares recent research findings and everyone learns and laughs together.
Did you miss SecurityDreamer at the Hard Rock Cafe in Atlanta? Did you miss the SecurityDreamer PSIM work group in DC? How about SecurityDreamer at the David Burke Restaurant in Vegas or at Margaritaville, The Botanic Gardens, Around the Coyote Art Gallery and many more interesting fun venues.
SIGN UP. If you are interested in attending our unusual, invitation-only events, tell me a little about yourself in an email steve (dot) hunt (at) huntbi (dot) com.
There is a problem with honesty in this security industry of ours. Far more of a problem in the physical/homeland security indsutry than IT/cyber security. the difference? Critics.
The IT/cyber security industry has dozens of knowledgeable, influential industry analysts constantly pushing end users, VARs and manufacturers, (vendors) to higher levels of performance, quality and customer service.
The physical security had none before I showed up on the scene when I directed my research team at Giga Information Group (later Forrester) to begin tracking trends in physical security in 2000. I kept thinking I would spark industry improvement in physical security and homeland security by inspiring dozens of industry analysts to cover the huge industry. Instead, vendors reacted with their panties in a bunch and most consultants I spoke to were chicken-shits, with not enough balls to tell Lenel or SoftwareHouse or Bosch when they smelled snake oil, or when product development aimed low.
So in 2005, I left my job as head of security research at Forrester and opened the first industry analyst firm in physical security – thinking for sure that THAT would start the trend.
I was partly right. A few “analysts” popped up afterwards. Forrester and Gartner dabbled in physical security half-heartedly for a few months after I left. Frost & Sullivan later beefed up their particular brand of analysis combned with their trademark (and dubious) “awards.” More on that another time. INS also started making noise.
Finally, some “serious” critics emerged. Jeff Kessler, the long-time Lehman analyst, brought intellectual rigor to financial critique of the entire industry and specific niches. And John Honovich carved a niche for himself becoming the preeminent critic of IP video solutions.
I am very grateful for John and Jeff. They largely validated my belief that the physical security industry had room for and could benefit from piercing, honest criticism. But I’m sad that there are only three of us. John critiques vendors in the IP video arena on his website, Jeff now works for Imperial Capital and focuses is on numbers, and I focus on best practices for end users. Three different niches, but it’s just crazy that a $170 bn industry supports only three guys doing real industry analysis.
I’ve criticized Frost & Sullivan and INS elsewhere, not to belabor the point here. The shortcomings of their analysis in this industry are obvious to any observer and I don’t need to harp on them. In a nutshell, I’m disappointed when any analyst relies on the word (or dollars) of manufacturers. It is an obvious conflict of interest, and the so-called analyst quickly becomes a shill for vendors, whether they intend to or not. (Hint: they usually intend to.)
If an analyst performs paid work for a vendor, it should be with the sole purpose of helping that vendor improve its products or solve specific customer problems. It should also be done privately.
For example, I’ll allow vendors to pay me to critique and plan their product development road map or marketing strategy – but I don’t write publically available white papers and will never publicly trade whatever I’ve discussed with vendor clients privately. I share my end user research findings with my end user- and investor-customers only.
Analysis should be derived from the analyst’s professional experience with the subject he is analyzing, or by analyzing the experiences of end users. I believe John touches or in some way directly interacts with with every product he writes about, and then bases what he writes on his highly technical knowledge. Jeff is similar. He performs primary research, writes his own analysis of his research based on his extensive knowledge and experience with financial and market analysis, and critiques secondary research. I talk to hundreds of end users each year and systematically analyze best practices (and worst practices) among the users of just about every kind of security technology.
I still think there is plenty of room for honest critique in the physical security industry. If only someone else with the guts would step up.
In honor of being at the RSA Conference in San Francisco this week, I figured I should at least post one IT security blog. Here is an excerpt from the “ship’s log” of my mentor Captain Phil Rosch:
I think the Security industry needs to be more proactive in terms of policing itself. I’ve spent way too much time over the past 6 months fixing machines for friends who got sucked in.
Fixing Charlie’s virus ridden computer wasn’t too hard. I found a detailed set of instructions on the Internet that fit his problem exactly so I just followed the yellow brick road. It’s easy to see how an error screen like the one crafted for the AVG 2011 could suck someone in. http://deletemalware.blogspot.com/2011/01/how-to-remove-fake-avg-antivirus-2011.html
After I blew off the virus, I downloaded Spybot Search & Destroy and Microsoft Security Essentials (both free). The Microsoft scan caught 2 Trojans and the S&D cleaned up all the spyware. The last job in the “tune-up” was to run SpinRite 6 to clean up the physical hard drive.
I really feel sorry for seniors who get sucked in by viruses and crap like you see on TV. Allen Harkleroad, a consumer advocate said “I am 100% skeptical of any advertisement that claims to be able to fix a computer online, and from the consumer complaints I have read online, in the case of DoubleMySpeed and MyCleanPC, it appears that my misgivings were completely warranted.” Allen built himself a new Windows 7 machine with nothing on it and ran all current maintenance.
Next he ran MycleanPC and it produced over 1,000 errors and took him to a page that demanded $89 for the product and wouldn’t let him lose the page.
Check out “DoubleMySpeed complaints” on Google, also MyCleanPC complaints and the CyberDefender Corporation complaints. It seems now CyberDefender is trying to hide who owns the domains they operate, however IP address/DNS lookups don’t lie. CyberDefender responded by sending a legal threat letter, claiming defamation, and demanding the removal of the original posts.
Think your company takes data protection seriously? You may need to give it the dumpster diving test. This big bank was pretty surprised what I came up with.