Posted on Mon, Mar 16, 2009 @ 06:26 AM
My view is that whether IT is a strategic investment or a utility cost depends on what the company needs information technology to do. If information technology is a key element of the firm's product, service, operations or strategy, then IT should be viewed as a strategic investment.
Firms such as Wal-mart, which uses information technology to drive costs out of the supply chain is a good example. Wal-Mart, which one does not think of as a technology company, in fact is a leading force in adoption of new technologies, such as Internet-based EDI and RFID.
On the other hand, if information technology is not a key element, then it should be viewed as a cost of doing business, seeking to maintain acceptable levels of service with managed levels of risk, at the lowest cost.
Of course, there are several positions that a firm may take between these two ends of the spectrum. One may view IT as a strategic investment but still not be leading the charge for new technologies, as Wal-Mart is doing. On the other hand, one may view IT as a cost of doing business yet still make significant investments in new systems as a platform for growth.
What's needed then, is for management to step back and decide what are the objectives for information technology, how well do the current systems satisfy those needs, and what are the actions, resources and spending needed for IT to meet those objectives--in other words, an IT strategy.
Posted on Mon, Mar 09, 2009 @ 06:30 AM
Recently President Obama warned city mayors not to waste money coming from the newly passed stimulus bill. He warned that that Mayors getting caught will be called out. I say we should adopt this stance in regards to spending in general and specifically on spending for information/computer security.
There are hundreds of reports, interviews, blogs, etc. that constantly advise anyone and everyone that security is critical to our infrastructure, privacy, business success, and so on. Yet security incidents continue to happen. Let me also state a well-accepted tenet: there are some very smart hackers out there that no realistic security budget will be able to defend against all the time. But many incidents occur because a system was not configured correctly (even though procedures are available); an administrator turns malicious; patching does not occur in time; staff members (IT and end users) are not adequately trained, etc.
What I am advocating, similar to the President's message (warning), is a method of calling out organizations when an incident occurs that can be directly related to some issue other than the "smart hacker".
Basically my idea is to publicly (or at least to shareholders) demand to know how a security incident happens. What was the underlying cause for the breach. Why was this allowed to happen. How did it happen? Were users not adequately trained? Were readily available security configurations applied? Are all current security patches installed and operational?
The answer will commonly be the lack of funds and to some degree this is acceptable. The fact is that if there is no money in the budget there is no money - period. And it is true that some security devices, not to mention consulting, can be rather expensive. I am also referring to reasonable security requests/initiatives as I am not in favor of just giving security departments a blank check which we all know is unrealistic. But after an incident has happened and the press/public/government (take your pick) are eager to know what exactly happened then someone should be able to tell them. If a security budgets were inappropriately used or cut below levels that provide a solid security baseline posture, then let's call these practices out. Let customers know why this happened and what, if any, internal measures were taken to hopefully reduce the chances of this happening in the future.
Posted on Mon, Mar 02, 2009 @ 06:23 AM
Heartland Security Systems has been slow to release detailed information about their data breach, but we know that after being notified from VISA about a high number of fraudulent transactions, it took them at least two weeks to find the source of the problem--malware. More specifically, a Trojan with the ability to sniff data on its network systems. What's significant is the hackers targeted the sensitive magnetic stripe data as it was being transmitted, not information stored in a database. After all, since one of the core requirements of PCI is that the magnetic stripe data should not be stored, where else can hackers get it, right?
According to released reports, Heartland invested in the security products and audit processes required to comply with the Payment Card Industry Data Security Standard (PCI/DSS), but this did little to thwart a serious exposure of consumer credit card data or to help them identify they had been compromised.
Security professionals for the longest time touted PCI/DSS as a reasonable level of care necessary to secure a business handling this sensitive data from being compromised. I believe it has helped tighten security in a lot of ways, but at the same time I also believe it has given a somewhat false sense of security to many CEOs and corporate security decision makers. PCI compliance does reduce the risk of security incidents, but it in no way guarantees that an organization is secure. The fact that the attack on Heartland was only discovered after receiving a high rate of fraudulent transaction complaints is proof that PCI/DSS compliance is not enough to secure, nor that the Heartland-style data breach will not happen again. It took experts several weeks to find the attack, even with advance knowledge that the malicious code was alive on its network.
PCIs preventive measures could not thwart the attack, and the manual audit performed took weeks to discover the malicious code.
Are hackers just as bold as ever because corporations have been lulled into a false sense of security by regulations like PCI?
I say yes… but bare in mind it is impossible to create an environment where you are 100% protected from a data breach. Unfortunately without great advancements in technology, data breaches are going to continue for the near future. What's important is how you respond, how you detect, and how you manage and mitigate the risk.
In my opinion, the best proactive protection against data breaches is proper employee training and education and implementation of robust security tools on an on-going basis.