Photo Credit

Virtual Machines Pose Real Security Threats

When you become CIO, you already know that IT security is going to be one of your biggest and least rewarding challenges. If you do a great job at it, then nobody will ever know and you’ll get no credit for it. If you do a poor job, then everyone will know and you’ll get all the blame. That just goes with the CIO job.

In the future, CIOs are going to have a whole new set of security issues that come along with the popularity of virtual machines. The rules for how best to secure these boxes that really aren’t boxes have not been established yet. What can you do to make yourself ready to take on this new challenge?

Just What Is A Virtual Machine?

Before we dive in and start talking about security, let’s make sure that we’re all onboard when it comes to just exactly what a virtual machine is. Awhile back, some very smart folks (a lot of who happened to work at a company called Vmware) realized that most companies were deploying one application per server in their data centers. One for email, one for web hosting, etc.

It turns out that as servers got more powerful, this was incredibly ineffective – most of the server’s processing power was not being used. The smart people created what they called a virtual machine (or VM) – software that sat on the server between the actual server hardware and the operating system that was running on the server. You can sorta think of it as a lower level operating system

Once this VM was in place, they discovered that they could run multiple operating systems (and then of course multiple applications on top of those operating systems) on each individual server. When they did this everything was isolated – if one operating system crashed, it didn’t interfere with the other operating systems / applications running on the same box.

As you can well imagine, this has turned out to be an incredibly popular way to reduce the number of servers that have to be deployed and maintained within a data center. However, it has also opened the door to some nasty security problems…

The Problem With Virtualization Security

Oh sure, you THINK that you know how to secure a data center – lock down all of the network ports going in and out, and then take steps to make sure that you know which staff are allowed to enter and leave. Oh oh, when your servers stop being real physical boxes and start to become virtual images, now you’ve going to have a whole new set of problems to deal with.

Cameron Sturdevant has been looking into just how we can go about securing the brave new future of virtual machines and he’s uncovered ten new issues that you are going to have to be able to deal with:

1. Moving Too Fast: since virtual machines can be set up and put into operation much quicker than a real server can, you’re going to have to set up some sort of review process in order to keep things under control.
2. Redefine Your Boundaries: it used to be simple to be able to keep the important things inside the data center and the threats outside when everything needed a physical box. Now that things are going virtual, these boundaries are getting more murky and you will have to spend the time to redraw them.
3. Killed By Quantity: since it’s so easy to set up a new virtual machine, you’re going to be facing an explosion of them. This means that you’re going to have to establish a policy to determine when a new virtual machine needs to be deployed and when it needs to be turned off.
4. Moving Day Is Everyday: since virtual machines can easily move from box to box, you’re going to have to lay down the law in order to make sure that the new server has the appropriate security policies in place in order to support the applications that will be running on it.
5. Not The Same As The Old Boss: both the tools and the policies that used to work in the world of “real” servers won’t necessarily work in the new world of virtual servers. You’re going to have to find / make new ones.
6. Virtual Tools: in order to police your virtual machines, you are going to want your security tools to run on virtual machines also – makes sense, doesn’t it?
7. Cutting Costs: how many CPU cycles your virtual security tools take up will be a huge deal very quickly. The rule of thumb is for them to take less than 2-3% of the CPU’s cycles.
8. Policy Update Time: not only will you need fancy new tools, but you are also going to need to update your staff on just how one goes about securing virtual boxes. Can you say special training?
9. Where To Focus?: the experts suggest that you spend your time securing both the virtual machine and its applications and don’t worry so much about the underlying virtual machines. The thinking is that virtual machines are by design isolated from everything else so they are more secure.
10. Get Some Relief: look for virtual machine management tools that will allow your staff to automate the processes of configuring and deploying virtual machines as much as possible in order to minimize security slipups.

Final Thoughts

Like it or not, when you become CIO you’re going to be living in a virtual world. All of the clever security tools and policies that we’ve created in an attempt to secure the world of physical servers that we now live in are not going to work in the future.

Your challenge will be to find ways to secure the virtual data center while at the same time keeping your IT staff’s workload at a manageable level. The good news is that this can be done, the bad news is that you’re going to be in uncharted territory. Good luck future CIO…!

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

Everybody wants their IT services for free. When you become the CIO, you’ve got to find an answer to the ugly question of just who’s going to pay you for all of those fancy IT services that your department can provide.

No related posts.

© Dr. Jim Anderson for The Accidental Successful CIO, 2009. | Permalink | No comment | Add to del.icio.us
Post tags: align tech, business executives, infrastructure management, it adjustment, it alignment, it alignment definition, security, virtual data center, virtual machines, Virtualization Security

CIOs Know That Security Threats Can Strike At Any Time

Ok CIO wannabe, we’re right in the middle of a global financial crisis and your IT budget has gotten slashed so much it looks like Freddie Krueger has come back and had his way with it. What are you going to do about your spending on security programs: cut ‘em, hold the line, or spend more. Whoops – that was a trick question: all of the answers will get you in trouble.

What The Other Guys Are Doing

Before making any big spending decision, any self-respecting CIO will do what all leaders do – try to find out what the other guys are doing in the hopes that you can just copy them. Well, in this case you’ll be getting mixed signals.

A survey done by Information Week magazine revealed that 19% of CIOs are cutting their security spending. On top of that, only 27% of the surveyed CIOs are planning on increasing their security budgets – that leaves roughly 50% doing the same old thing.

Its starting to look as though the final remaining sacred cow of IT budgets, spending on securing the enterprise’s IT assets, has finally fallen under the budget trimming axe. This is an excellent opportunity to learn how to be a better CIO: cut too little and the company goes under, cut too much and the company may get sued when your defenses are breached.

What’s Worse: Poisonous Snakes or Sharp Knives?

Here’s another part of your CIO quiz: when your security budget comes under fire and you know that you’re not going to be able to save the whole platoon, who do you pick to live and who do you let die? Tough call eh? That Information Week CIO survey revealed that most CIOs have decided that any security program that deals with compliance in some way, shape, or form needs to be saved.

In the end, CIOs are finally starting to realize that an effective corporate IT security policy consists of just two things:

• Managing Risk
• Protecting Data

Don’t Forget About The Angry Natives -
How CIOs Prioritize

If the job was easy, then anyone could be a CIO. The CIOs who get it, those who understand what effective IT security is really trying to do, know that the first thing that they have to do is to determine the company’s overall appetite for risk. If the company has an appetite for a lot of risk, then the CIO can trim the IT security budget to the bone. Otherwise, cut with care!

Successful CIOs realize that the right way to go about setting up an IT security program is to start by realizing that you can’t protect everything to the same level and so you need to identify what IT assets are the most valuable to the company. Once you know this, you need to take the next step and estimate the likelihood that those assets might be lost.

Only after you have both of these pieces of information can a CIO have the IT team start to create security programs and put systems of controls in place to protect what needs to be protected. Although compliance programs are on everyone’s minds in these tough economic times, CIOs need to keep in mind that such programs are not always in line with security best practices.

Final Thoughts

If you want to have any hope of ever being a successful CIO, you’ve got to learn to be able to make the tough calls when it comes to funding corporate IT security programs. Although putting measures in place in order to make sure that the company remains complaint with regulations is good, it’s not nearly enough.

Taking the time to properly value your corporate IT assets and identifying what kinds of risks this data faces is the critical first step that too many CIOs skip over. Take the time to do this correctly and you’ll be well positioned to deal with poisonous snakes, sharp knives, and angry natives. Now if we could just find some way to deal with those pesky rampaging elephants…

What do you think should be a CIO’s #1 security concern: remaining in compliance or dealing with the security threat that comes from outside?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

Ok all you CIOs wannabes, guess what one of your first problems is going to be once you assume control of the IT department? No, not that innovation thing. Nor will it be finding new ways to cut costs. Somewhat amazingly considering that we are living in the enlightened 21st Century — you will need to find more women…

No related posts.

© Dr. Jim Anderson for The Accidental Successful CIO, 2009. | Permalink | 2 comments | Add to del.icio.us
Post tags: align it, appetite for risk, business alignment, business it alignment, compliance, it alignment, IT budget, IT security, IT security budget, managing risk, protecting data, risk, security

CIOs Know That Insiders Represent The Biggest Threat (c) - 2004

When you think about someone trying to make off with your company’s private data, what comes to mind? Some wily Russian hacker who sneaks into your company’s network through the backdoor? Perhaps you need to update your thinking. A recent report from Cisco revealed that the real threat is coming from insiders. What’s a CIO to do?

Identifying The Threat

By now all CIOs realize that their corporate networks and data are under almost constant assault. However, most of the steps that CIOs have taken to secure their networks have been designed to defend themselves against the attacker who comes from the outside.

Information that was revealed in the Cisco report included that workers are sharing corporate information with outsiders for a variety of reasons. These include sharing data simply in order to get an outsider’s opinion on something, to show off work that they’ve done to others, etc.

On top of the active taking of corporate data, Cisco’s report revealed that some 66% of those who responded admitted to engaging in activities that would allow someone else to access corporate data (things like not logging off and then leaving their computers on at work overnight!)

Data Loss Prevention

If a CIO ever wants to get to sleep again, something has to be done to solve the data loss threat that insiders pose to the firm. There is no magic bullet, but one approach to dealing with this problem is to deploy a data loss prevention (DLP) suite of tools.

In true “big brother” fashion, a DLP suite generally consists of a network scanner coupled with multiple tools that allow an IT department to collect information on what data is being used and by whom.

Before moving forward with implementing a DLP solution, CIOs need to take the time to prepare to use this new set of tools. The steps involved include:

• Secure The Important Stuff: before you go worrying about trying to secure how data is used throughout the enterprise, first identify the most important data and ensure that it is locked down.

• Close Your (Network) Doors: before you can worry about insiders doing you harm, you need to make sure that outsiders can’t get in. This requires analyzing both your network ports and the protocols that the company’s network is using to make sure that they are secure.

• Create A Baseline: in order to detect when the wrong things are being done, you need some way to detect them. Creating baselines such as point-in-time content signatures for sensitive data stores is a first step in doing this.

• Start Inspecting Traffic: the way that you can prevent information from going to internal sources that don’t have a need to know is by installing automated network traffic inspectors. Setting parameters so that notifications of data breeches are flagged will do a great deal to prevent data loss by internal threats.

Final Thoughts

The value that a CIO brings to a firm is that he / she is able to harness IT resources in order to help the company succeed. As part of this task, the CIO is also responsible to make sure that sensitive corporate data remains secure from both external and internal threats.

CIOs that learn how to deploy DLP solutions in order to protect against the data loss threat from insiders will be better at finding ways to apply IT to enable the rest of the company to grow quicker, move faster, and do more.

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

Since most firms have no idea about what to do with their corporate research facilities, responsibility for the labs often falls under the control of the CIO (because most firms don’t know what to do with IT either). Great. So what’s a CIO to do when he/she is responsible for a corporate R&D lab?

No related posts.

© Dr. Jim Anderson for The Accidental Successful CIO, 2009. | Permalink | One comment | Add to del.icio.us
Post tags: align it, business alignment, business it alignment, Cisco, corporate data, data loss, Data Loss Prevention, DLP, hacker, insider, it alignment, threat

CIOs Need To Solve Their ID Management Crisis(c) 2007

As though keeping all of those servers up, applications running, and end users happy seems like enough to make being CIO a full-time job, now CIOs also have to take on the role of data cop? The answer to this question is “yes”, in all honesty, they really should already be doing it. Most company’s most valuable asset, after their employees, is their corporate data. CIOs need to find a way to make sure that they know who is accessing it and why.

Just What Is Identity Management?

Identity management is how an organization controls access to its information based on an individual’s rights and responsibilities. It turns out that most IT shops have been doing a pretty poor job of this.

All too often most of us rely on our old friends Mr. Username and Mr. Password. How many dictionary based cracking events do we need to see in the movies in order to convince us that this is a very poor way to secure our data?

The right way to start to authenticate identities better is to use a second-factor authentication system such as biometrics, tokens, etc. Additionally, using single sign-on technologies can help you bring disparate systems together and save the end users from having to carry around lists of usernames/passwords.

What’s The Best Way To Do Identity Management?

The first step to creating a workable identity management solution is to establish some policies. These policies need to lay out just who is allowed to access what information. Clearly, if you’re not allowed to use some piece of information as a part of your job, then you shouldn’t have access to it.

One of the biggest pitfalls that is found in IT departments today is the existence of multiple different “silos” of data that end up creating a confusing and mixed up environment for access control. Once again, implementing a single-signon solution can solve this problem.

Final Thoughts

Taking the time to design and implement a good identity management solution is very much like buying insurance for your IT department. You hope that you don’t really need it, but you know that you probably do and it’s the grown-up thing to do.

Taking the time to solve your identity management issues once and for all will allow a CIOs to have found a way to apply IT to enable the rest of the company to grow quicker, move faster, and do more.

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

More firms are committing to implementing those really BIG process digitization projects. More often than not the CIO will find himself / herself in charge of not only the implementation of the new software application, but also the overall success of the project. How do you go about doing that?

No related posts.

© Dr. Jim Anderson for The Accidental Successful CIO, 2009. | Permalink | No comment | Add to del.icio.us
Post tags: biometrics, business, CIO, data loss, ID, identify management, identity, information technology, IT, password, policies, risk, second-factor authentication system, security, tokens, username

Application Whitelisting Offers CIOs Another Way To Protect Their Networks

It’s a battle out there: hackers and organized crime groups vs. your company. Whereas you have to worry about keeping the company successful and lowering costs, all they have to worry about is finding ways to break into your network. Doesn’t seem very fair, does it? There is some good news for CIOs: application whitelisting has arrived.

What is Whitelisting?

The problem with trying to protect your company’s network is that the bad guys are always trying new and innovative things. In order to block them, you have to stay on top of what the latest attach vector is and install defenses against it throughout your network. This can be a real time waster – it’s critical to do, but it contributes nothing to the company’s bottom line.

Whitelisting applications takes a 180-degree different approach to securing your network. Instead of trying to identify and block all of the bad malware variants that are trying to get into your network, whitelisting focuses on identifying all of the applications that SHOULD be allowed to access your network.

This of course means that you need to block everything that is not whitelisted. The theory is that all that malware that shows up will find the door to your network slammed shut on them.

Whitelisting Is Not For Everyone

In some enterprise IT environments, whitelisting is the wrong way to go. In these environments, using application whitelisting can actually drive up operational costs so high that things quickly get out of hand. Ill-suited IT environments are those in which workers need to be constantly installing new and changed applications on the fly in order to complete their tasks.

Where Whitelisting Works Well

That being said, there are IT environments in which application whitelisting works very well. These environments tend to be very static with very few application changes. A great example of this is call centers.

Another example where whitelisting has worked well is in the retail sector where cash register environments are very static and only need to be updated ever six months. Some companies have discovered that they have been able to do away with anti-virus protection (and the associated cost of maintaining it) on those machines.

Final Thoughts

The fight to secure the company’s network from the forces that would do bad things to it is never-ending for CIOs. However, this is not what CIOs should be spending their time on – there is not a bottom line benefit.

Whitelisting of applications provides yet another way to secure the firm’s network by taking a novel approach to security – don’t worry about identifying the bad guys, just worry about identifying the good guys.

Whitelisting won’t work for every environment, but in certain static IT environments it can work wonders. CIOs who can identify the right IT environments in which to use application whitelisting will have found a way to apply IT to enable the rest of the company to grow quicker, move faster, and do more.

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

Most company’s most valuable asset, after their employees, is their corporate data. CIOs need to find a way to make sure that they know who is accessing it and why.

No related posts.

© Dr. Jim Anderson for The Accidental Successful CIO, 2009. | Permalink | 3 comments | Add to del.icio.us
Post tags: Anti-virus, Application, bottom line, business, CIO, information technology, IT, IT project, malware, risk management program, risks, security, security policy, whitelisting

Just imagine this scenario: you’ve just been made CIO of your firm when all of a sudden one of your competitors suffers a massive data loss because of outside hackers. Your CEO storms into your brand-new office and demands to know what you are doing to secure your firm’s data. What would you say?

The Old Way Of Doing Things

Good CIOs realize that a firm’s IT infrastructure can’t just be thought of “those boxes”. Instead, an IT infrastructure consists of three layers of devices: core servers and perhaps mainframes, a set of network connectivity devices such as routers and hubs, and then endpoints – the PCs and laptops that you and I use every day.

IT Networks Consist Of 3 Separate Levels Of Equipment

Since there are more endpoints than any other type of equipment in most corporate networks, CIOs realize that this is where must of their company data loss efforts must be focused.

In the past, securing network endpoints often meant that all one had to do was to load up some anti-virus software on every laptop and you could check this off of your CIO to-do list. Sorry – that no longer works.

Welcome To The Real World

As we enter the brave new world of policy management, we are seeing a shift to policy-based enforcement being used to control company data that is being used on enterprise network endpoints.

Using policy-base management of endpoints allows multiple areas to be managed. These areas include:

• Configuration
• Patch
• Access
• Application
• Anti-virus

The Case For Using Policy-Based Management of Endpoints

Let’s face it – we are all have too much to do and too little time in which to get it all done. Establishing corporate IT polices allows a set of rules to be laid down that tell everyone what is and is not permitted. When you extend these polices to cover how you manage the endpoints of the company’s network, then all of a sudden you’ve made your life that much easier.

Policies allow you to prioritize the company information that you want to protect. Once you identify this information, you’ll then be able to realize just how much of it is being stored on the endpoints!

This new understanding then allows you to set up a systems security approach to making your PCs and laptops safe. By doing this you’ll be able to ensure that your network endpoints are now secure places to house that valuable corporate data.

Final Thoughts

There’s no way that any one person in an IT department can make sure that all of your PCs and laptops are secure all the time – even if you are the CIO. Yesterday’s piecemeal approach of placing an anti-virus application on each PC and then considering the job done was a poor solution.

Using a system’s approach and establishing company policies for how management of endpoints should be done sets up a much simpler way of ensuring that all endpoints are secure. CIOs that do this will have found a way to apply IT to enable the rest of the company to grow quicker, move faster, and do more.

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

It’s a battle out there: hackers and organized crime groups vs. your company. Whereas you have to worry about keeping the company successful and lowering costs, all they have to worry about is finding ways to break into your network. Doesn’t seem very fair, does it? There is some good news for CIOs: application whitelisting has arrived.

No related posts.

© Dr. Jim Anderson for The Accidental Successful CIO, 2009. | Permalink | No comment | Add to del.icio.us
Post tags: Access, Anti-virus, Application, business, ceo, CIO, Configuration, information technology, IT, IT project, Patch, risk management program, risks, security, security policy

CIO's Realize That A Good Security Program Requires A Good Set Of Policies

What does it take to do a really good job of securing your company’s systems and data? Is it just a matter of picking and implementing the right software or hardware solution? Is there a consulting firm that you can pay millions to who will come in and take care of this problem once and for all? Bad news – the answer is no.

How Policies Make A Security Program Work

Securing a firm’s systems and data is a daunting task. The first step to successful doing this is to develop a risk management program that captures and describes all of the various internal and external risks that your firm is currently facing. Next comes the prioritization which allows you to determine which of these risks is most likely to affect your firm – all risks are not created equal.

Once you have prioritized the risks that your firm is facing, the CIO needs to step in and make sure that a program of actionable policies is created in order to secure your systems. All too often, this is the step that gets skipped and no matter how much technology you throw at the security problem, if you don’t have a good set of polices you’ll never be able to secure your systems.

Polices Secure Your Systems From Day-To-Day

What too many CIOs tend to forget is that the key to any company’s security program is the human element and you manage this by having a clearly understood set of policies in place. Creating the policies is a first step, making sure that everyone knows about the policies and is living them are the next steps.

Kevin Mitnick is a reformed computer hacker who tours the country talking to businesses about the importance of securing their systems. I had an opportunity to hear him talk recently and it was amazing to hear how he acquired the information that he needed to break into company computer systems.

Kevin used a technique called “social engineering“ in which he would basically call up someone and ask them for sensitive system information. No matter if the firms had a corporate security policy in effect, Kevin was basically able to get the people that he called to violate it. No, they weren’t angry with their company, they were just trying too hard to be helpful. That’s what can happen if you don’t have security policies that are well known by everyone.

Final Thoughts

Doing a risk analysis and prioritizing the results is easy for IT professionals to do. However, creating policies that need to be followed by humans and then actually convincing their coworkers to follow the policies can be a real challenge.

A CIO can ensure that security policies will be successful by publicly stating his / her support for the policies and then by following them. Everyone will know if the CIO takes the polices seriously and by showing that you do, you will have found a way to apply IT to enable the rest of the company to grow quicker, move faster, and do more.

Questions For You

Does your firm currently have security policies in-place? Have these policies been communicated to everyone? Do they understand them? How can you tell if they are following them? Are you following them? Does anyone know that you are following them? Leave me a comment and let me know what you are thinking.

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

So picture this: you’re a CIO and you desperately want to be seen by the rest of the C-level executives as something more than a simple cost center. What to do? If only there was some way that you could tap into all of that incredible creative energy that we all know lives in the IT department…

No related posts.

© Dr. Jim Anderson for The Accidental Successful CIO, 2009. | Permalink | 2 comments | Add to del.icio.us
Post tags: business, ceo, CIO, information technology, IT, IT project, Kevin Mitnick, risk management program, risks, security, security policy

The role of a CIO is to find ways to apply IT to enable the rest of the company to grow quicker, move faster, and do more. As part of this task a CIO needs to take steps to ensure that nothing happens that would prevent this from happening. This side of the job is not nearly as glamorous; however, it is at least as critical. What can a CIO do to ensure that

nothing bad happens

to a firm’s IT systems?

The Job Of Vulnerability Management

The first step in ensuring that a firm’s IT systems continue to allow the company to move forward is to come to terms with the real world. This means that CIOs need to acknowledge that the world can be

an ugly place

and there will always be outsiders

who want to do harm to your firm

. The person in the firm who will be most interested in what is being done to defend against attacks on IT systems will be the

CFO

. When discussing vulnerability management with the CFO, the CIO needs to explain that at its heart it’s really just the principles involved in

risk management

combined with

practical logic

and an understanding of

business value

for the firm.

How To Do Vulnerability Management

Although a CIO won’t actually perform the process of Vulnerability Management, he /she is responsible for ensuring that the program is

set up correctly

. This means that the three key components of a Vulnerability Management program need to be put in place:

• Data Collection Needs To Be Integrated: Attacks on your IT systems rarely show up all at once. Instead, there is a sequence of minor events that occur as your defenses are probed looking for weaknesses. Having all of your data on system configurations, patch status, and access management polices in one place is a critical part of providing you with the ability to identify issues and respond proactively.

• Prioritize Based On Business Value: Look, we are all busy and have too little time and budget to begin with. If you understand the value of each IT system, then you can allocate resources appropriately. Not all events require a full blown response – low value systems can be monitored further. Defenses for such can be augmented on your schedule as opposed to on an emergency schedule.

• Improve, Improve, Improve: Vulnerability management is not something that can be done once and then forgotten about. The world is constantly changing and your program will need to be constantly being refined to adapt to new threats.

Final Thoughts

A CIO can do a great job of empowering the rest of the company to accomplish wonderful things; however, if the firm’s IT systems are compromised then all of the good that he/she has done will be

forgotten in a flash

. A well executed vulnerability management program provides a way to defend the firm against a cruel world. CIOs who follow the three steps that we’ve discussed will have

found a way

to apply IT to enable the rest of the company to grow quicker, move faster, and do more.

Questions For You

Does your firm currently have a vulnerability management program? Have you taken the time to assign a business value to each of your IT assets or does everything have the same value? Do you constantly refine your vulnerability management program based on changes in you IT systems and the direction of your business? Leave me a comment and let me know what you are thinking.

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

What does it take to do a really good job of securing your company’s systems and data? Is it just a matter of picking and implementing the right software or hardware solution? Is there a consulting firm that you can pay millions to who will come in and take care of this problem once and for all? Bad news – the answer is no…

No related posts.

© Dr. Jim Anderson for The Accidental Successful CIO, 2009. | Permalink | 2 comments | Add to del.icio.us
Post tags: business, ceo, CIO, information technology, IT, IT project, security, Vulnerability Management

Data Security. There I said it. It sorta lays there like a big lump of coal and everyone in the company stands around looking at it wondering who’s responsibility it is to do something about it. Nobody, including CIOs really wants to touch it for one very simple reason: it’s a losing proposition.

How To Make Friends With Your CFO

Data security, despite being big, heavy, and ugly, always seems to end up in the CIOs lap. Since you really can’t do anything to prevent this, it sure looks like this is  a great opportunity to try to turn a liability into an asset. Ericka Chickowski over at Baseline magazine has taken a look at this issue and come up with some interesting ways to help CIOs work more closely with CFOs. It all starts with compliance. Now compliance is just about as exciting as security; however, firms are willing to spend the big bucks on making sure that they are compliant because they know that there are potentially some big financial penalties if they don’t. It is the clever CIO that sits down with his / her CFO and explains that the company’s data security program can be thought of as an extension of its compliance program. What this means is that you don’t really need a separate program and your costs should be much lower. What CFO wouldn’t be interested in hearing that?

Get Your Priorities In Order

One of the things that the CIO can learn from the compliance side of the house is that a critical first step is to make sure that you prioritize the company data that you are going to be protecting. All data is not created equal! What’s interesting here is that the importance of any single piece of information is based on two things: its value to the company and its role in keeping the company compliant. If your firm was a hospital, then clearly an electronic patient record would fall into the “top priority” bucket .

Act On Your Priorities – Not Necessarily Your Compliance

The level of protection that the IT department needs to surround a given piece of information with will depend on the result of this prioritization. I hope that you realize that this is just a fancy way of saying that there is some company data that you DON’T have to protect (or at least not very much). Just about now you’d expect me to say that you should always go all out to protect ALL of your company data that is involved in a compliance program. But I’m not going to do that. Chickowski points out that not all regulations are created equal. In fact,  some have fairly weak “teeth”. These are all things that the CIO and the CFO need to understand as they create a data protection plan / compliance program for the company. Spend those limited budget bucks to make sure that the important data is secure and then do what you can for the rest

Final Thoughts

Within the company, the CFO ALWAYS wields more power than the CIO – money talks. Folding a company’s data security program into its compliance program is a great way for a CIO to work closely with the CFO and end up saving the firm money (always a good thing) and ensuring that it is both compliant and its data is secure. In addition to providing a CIO with a reason to talk to the CFO that doesn’t involve begging for more money, an agreement about securing the company’s data can allow CIOs to apply IT to enable the rest of the company to grow quicker, move faster, and do more.

Questions For You

Does your company have separate compliance and data security programs? Does your CIO talk with the CFO about how best to secure the firm’s data? Do you prioritize your data or is it all treated as being at the same level of importance? Leave me a comment and let me know what you are thinking. Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

The role of a CIO is to find ways to apply IT to enable the rest of the company to grow quicker, move faster, and do more. As part of this task a CIO needs to take steps to ensure that nothing happens that would prevent this from happening. This side of the job is not nearly as glamorous; however, it is at least as critical. What can a CIO do to ensure that nothing bad happens to a firm’s IT systems?

No related posts.

© Dr. Jim Anderson for The Accidental Successful CIO, 2009. | Permalink | One comment | Add to del.icio.us
Post tags: budget, business, CFO, CIO, compliance, compliance program, data security, information technology, IT, security, security program, strategy

Kevin Mitnick is a reformed computer hacker who now provides security consulting

I had an opportunity to attend a very large IT health care show up in Chicago awhile back and I was surprised to discover that Kevin Mitnick, the somewhat infamous computer hacker, was scheduled to give a speech.

Now even though I don’t move in computer security circles that much, I know about Kevin Mitnick. I know about him because I read Tsutomu Shimomura’s book Takedown: The Pursuit and Capture of Kevin Mitnick, America’s Most Wanted Computer Outlaw-By the Man Who Did It. If you’ve never read the book, I can recommend it. In a nutshell, Mitnick was a hacker who had evaded capture until he ticked off Shimomura who is a computer security pro. After he did that, Shimomura went after him with a vengeance and eventually helped the authorities catch him and send him to jail.

Now here in America, we all enjoy a good comeback story and that’s basically what Kevin’s been living. He has reinvented himself as a computer security consultant and by all accounts appears to be making a very nice living for himself.

Kevin Mitnick's Business Card Contains Lock Picking Tools - Talk About Unique!

Since getting out of prison, Kevin’s been quite busy. He’s an author and he’s written two books: The Art of Deception: Controlling the Human Element of Security and The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers.

Kevin is actually a pretty good speaker. The focus of the speech that he gave was to remind CIOs that no matter how much they have invested in firewalls, RSA tokens, and passwords that change every 90 days, it’s social engineering that they need to fear the most.

Kevin’s speech basically consisted of stories in which he would tell how he had broken into various computer systems using a variety of low-tech methods. These included making phone calls and asking for cell phone source code (thanks Motorola!) or simply doing dumpster diving to collect scraps of paper with usernames and passwords on them.

Kevin pointed out that one of the most valuable items that he had ever gotten his hands on was the corporate directory for GTE. Once he had this, he had everyone’s phone number and knew who was the boss of who. With this info, he could place calls to get more and more information.

Kevin’s stories and his continuing success on the right side of the law this time should serve as a reminder for all of us that at the end of the day, it’s the people who work in an IT department that are your weakest link in security. If you fix this issue, then you’ll be much closer to having a secure organization.

Have  you ever had a problem with someone trying to gain access to your department / network by using social networking? What do you do to prevent “dumpster diving” from being successful at your place of work? Would you ever hire a convicted hacker to help you improve your cyber security? Leave me a comment and let me know what you are thinking.

No related posts.

© Dr. Jim Anderson for The Accidental Successful CIO, 2009. | Permalink | No comment | Add to del.icio.us
Post tags: business, CIO, computer security, dumpster diving, GTE, hacker, hacking, information technology, IT, Kevin Mitnick, Motorola, security, social engineering